An issue was discovered in eteams OA v4.0.34. Because the session is not strictly checked, the account names and passwords of all employees in the company can be obtained by an ordinary account. Specifically, the attacker sends a jsessionid value for URIs under app/profile/summary/.
References
Link | Resource |
---|---|
http://www.iwantacve.cn/index.php/archives/271/ | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2019-09-09T02:04:46
Updated: 2019-09-09T02:04:46
Reserved: 2019-09-08T00:00:00
Link: CVE-2019-16133
JSON object: View
NVD Information
Status : Analyzed
Published: 2019-09-09T03:15:10.577
Modified: 2019-09-10T13:58:31.807
Link: CVE-2019-16133
JSON object: View
Redhat Information
No data.
CWE