CVE-2021-42332

The “List View” function of ShinHer StudyOnline System is not under authority control. After logging in with user’s privilege, remote attackers can access the content of other users’ message boards by crafting URL parameters.

CVSS v3 4.3 MEDIUM
CVSS v2.0 4.0 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://www.twcert.org.tw/tw/cp-132-5202-49681-1.html	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:xinheinformation:xinhe_teaching_platform_system:v2021:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-10-15 12:15

Updated : 2024-02-28 18:48

NVD link : CVE-2021-42332

Mitre link : CVE-2021-42332

CVE.ORG link : CVE-2021-42332

JSON object : View

Products Affected

xinheinformation

xinhe_teaching_platform_system

CWE

NVD-CWE-Other CWE-285

Improper Authorization

{"id": "CVE-2021-42332", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "twcert@cert.org.tw", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2021-10-15T12:15:07.767", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-5202-49681-1.html", "tags": ["Third Party Advisory"], "source": "twcert@cert.org.tw"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "twcert@cert.org.tw", "description": [{"lang": "en", "value": "CWE-285"}]}], "descriptions": [{"lang": "en", "value": "The \u201cList View\u201d function of ShinHer StudyOnline System is not under authority control. After logging in with user\u2019s privilege, remote attackers can access the content of other users\u2019 message boards by crafting URL parameters."}, {"lang": "es", "value": "La funci\u00f3n de \"List View\" del sistema ShinHer StudyOnline System no est\u00e1 bajo el control de la autoridad. Despu\u00e9s de iniciar la sesi\u00f3n con privilegios de usuario, unos atacantes remotos pueden acceder al contenido de los tableros de mensajes de otros usuarios al dise\u00f1ar par\u00e1metros de la URL"}], "lastModified": "2022-08-12T16:29:23.727", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xinheinformation:xinhe_teaching_platform_system:v2021:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0E91C6E5-D003-4CF6-BE92-C7A9722FE749"}], "operator": "OR"}]}], "sourceIdentifier": "twcert@cert.org.tw"}