go to Content
:::

TWCERT/CC Taiwan Computer Emergency Response Team/Coordination Center

:::
Date:
Font-stze:

EIC e-document system - SQL Injection

TVN ID TVN-202101013
CVE ID CVE-2021-22859
CVSS 9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products EIC e-document system v3.0.2
Description The users’ data querying function of EIC e-document system does not filter the special characters which resulted in remote attackers can inject SQL syntax and execute arbitrary commands without privilege.
Solution Update to version 3.0.4
Credit Tony Kuo (CHT Security)
Public Date 2021-03-17

Links

  1. CVE-2021-22859
  2. https://gist.github.com/tonykuo76/807c838b75879b0d327782dfcd2c3bea
  3. https://www.chtsecurity.com/news/c974fd28-c19b-4003-82f3-818904057496
Top