Vulnerability description
Pan-micro collaborative management application platform (e-cology) is a large-scale collaborative management platform for enterprises.
In some versions of Fanwei e-cology9, there is a login vulnerability for any user in the foreground, because the system defaults to configuring a fixed key for user authentication.
When the /mobile/plugin/1/ofsLogin.jsp file exists (possibly installed through a plug-in), an attacker can bypass user authentication by constructing a malicious HTTP request to access /mobile/plugin/1/ofsLogin.jsp and realize arbitrary user authentication. Log in, causing sensitive data leakage.
Vulnerability name | Fanwei e-cology9 has an arbitrary user login vulnerability |
---|---|
Vulnerability type | Inappropriate authentication mechanism |
Discovery time | 2023/5/16 |
Vulnerability Breadth | wide |
MPS number | MPS-qj5s-7z0o |
CVE number | - |
CNVD number | - |
Sphere of influence
e-cology9@(-∞, 10.57.2)
Repair plan
Upgrade component e-cology9 to version 10.57.2 and above
reference link
https://www.oscs1024.com/hd/MPS-qj5s-7z0o
https://www.weaver.com.cn/cs/securityDownload.asp
About Murphy Security
Murphy Security is a technology company that provides you with professional software supply chain security management. The core team comes from Baidu, Huawei, Wuyun and other enterprises. The company provides customers with a complete software supply chain security management platform, and provides software with a full life cycle around SBOM Security management, platform capabilities include software component analysis, source security management, container image detection, vulnerability intelligence early warning and commercial software supply chain access assessment and other products. Provide customers with complete control capabilities from supply chain asset identification management, risk detection, security control, and one-key repair.
Open source project: https://github.com/murphysecurity/murphysec/?sf=qbyj
The product can be integrated with various tools in the existing development process at a very low cost, including seamless integration with dozens of tools such as IDE, Gitlab, Bitbucket, Jenkins, Harbor, and Nexus.
Free code security detection tool: https://www.murphysec.com/?sf=qbyj
Free intelligence subscription: https://www.oscs1024.com/cm/?sf=qbyj