[High Risk] Fanwei e-cology9 has an arbitrary user login vulnerability - Code World

[High Risk] Fanwei e-cology9 has an arbitrary user login vulnerability

News 2023-06-12 09:13:35 views: null

Vulnerability description

Pan-micro collaborative management application platform (e-cology) is a large-scale collaborative management platform for enterprises.

In some versions of Fanwei e-cology9, there is a login vulnerability for any user in the foreground, because the system defaults to configuring a fixed key for user authentication.

When the /mobile/plugin/1/ofsLogin.jsp file exists (possibly installed through a plug-in), an attacker can bypass user authentication by constructing a malicious HTTP request to access /mobile/plugin/1/ofsLogin.jsp and realize arbitrary user authentication. Log in, causing sensitive data leakage.

Vulnerability name	Fanwei e-cology9 has an arbitrary user login vulnerability
Vulnerability type	Inappropriate authentication mechanism
Discovery time	2023/5/16
Vulnerability Breadth	wide
MPS number	MPS-qj5s-7z0o
CVE number	-
CNVD number	-

Sphere of influence

e-cology9@(-∞, 10.57.2)

Repair plan

Upgrade component e-cology9 to version 10.57.2 and above

reference link

https://www.oscs1024.com/hd/MPS-qj5s-7z0o

https://www.weaver.com.cn/cs/securityDownload.asp

About Murphy Security

Murphy Security is a technology company that provides you with professional software supply chain security management. The core team comes from Baidu, Huawei, Wuyun and other enterprises. The company provides customers with a complete software supply chain security management platform, and provides software with a full life cycle around SBOM Security management, platform capabilities include software component analysis, source security management, container image detection, vulnerability intelligence early warning and commercial software supply chain access assessment and other products. Provide customers with complete control capabilities from supply chain asset identification management, risk detection, security control, and one-key repair.
Open source project: https://github.com/murphysecurity/murphysec/?sf=qbyj

The product can be integrated with various tools in the existing development process at a very low cost, including seamless integration with dozens of tools such as IDE, Gitlab, Bitbucket, Jenkins, Harbor, and Nexus.
Free code security detection tool: https://www.murphysec.com/?sf=qbyj
Free intelligence subscription: https://www.oscs1024.com/cm/?sf=qbyj

insert image description here

Guess you like

Origin blog.csdn.net/murphysec/article/details/131091430

[High Risk] Fanwei e-cology9 has an arbitrary user login vulnerability

[High Risk] Fanwei e-cology9 has an arbitrary user login vulnerability

[Vulnerability Warning] Fanwei E-Cology ofsLogin random user login vulnerability

Fanwei OA e-cology9 has sql injection

Fanwei e-cology9 SQL injection vulnerability recurrence (QVD-2023-5012)

Fanwei e-cology9 SQL injection vulnerability reappears【QVD-2023-5012】

[High Risk] Smartbi Login Code Logic Vulnerability

A security browser has also been found to be a high-risk vulnerability?

[High risk] GitLab CE/EE has a stored XSS vulnerability

[High Risk] Apache Nifi JMS component has JNDI deserialization vulnerability

[Medium Risk] Apache Airflow Drill Provider < 2.4.3 has an arbitrary file read vulnerability

[High Risk] Apache Airflow Spark Provider Arbitrary File Read Vulnerability (CVE-2023-40272)

[Vulnerability recurrence] Tongda OA v11.7 online arbitrary user login vulnerability

Reproduce the User Login Arbitrary File Reading Vulnerability of HUAWEI Firewall (1day)

[Laboratory] know Chong Yu Zhiyuan 404 OA System Remote arbitrary code execution vulnerability in high-risk security warning

[High risk] jeecg-boot/building block report based on the arbitrary code execution vulnerability of the H2 driver

【1day】Fanwei E-Mobile 6.6 has a command execution vulnerability

A security browser has also been found to be a high-risk vulnerability? Open source security issues cannot be ignored

[High risk] Apache Cassandra has an unauthorized vulnerability that leads to remote command execution

Zhiyuan OA arbitrary administrator login vulnerability analysis

[High Risk] Code Execution Vulnerability in WPS Office

[Vulnerability recurrence] Fanwei e-cology front desk SQL injection vulnerability

npm installation (high severity) high-risk vulnerability reminder

Chanjet TPlus DownloadProxy.aspx has an arbitrary file read vulnerability

A micro-e-office collaborative management system has an arbitrary file reading vulnerability that reappears CNVD-2022-07603

Tongda OA arbitrary user login reproduction (manual use & script use)

Smartbi Built-in User Login Bypass Vulnerability

[Medium Risk] Guava<32.0.0 has a race condition vulnerability

WordPress plugin Mailpress high-risk remote command execution vulnerability

Zabbix high-risk SQL injection vulnerability and repair plan

Recommended

The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!

Ranking

Getting the basic concepts of ROS + catkin Profile

Spring Learning (2) --- Assembling Beans in the IoC Container

js to get the src attribute of the image regularly

STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud

Short video learning - 3, pandas simple use of pivot_table

Print directory of project configuration log, output log

Understand the difference between vi and vim in Linux in 3 minutes

1 + x certificate Web front-end development HTML5 special exercises

mangodb save and insert the difference

7-1 Family tree processing (50 points) (binary tree solution)

Daily

More

2024-05-13(8)

2024-05-12(28)

2024-05-11(32)

2024-05-10(34)

2024-05-09(32)

2024-05-08(18)

2024-05-07(34)

2024-05-06(6)

2024-05-05(0)

2024-05-04(18)