Improper access control in HR Portal

#VU50806 Improper access control in HR Portal

Published: 2021-02-18

Vulnerability identifier: #VU50806

Vulnerability risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-22853

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
HR Portal
Other software / Other software solutions

Vendor: Soar Cloud System

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote authenticated attacker can bypass implemented security restrictions to access sensitive data and cause the login function not to work.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

HR Portal: 7.3.2020.1013

External links
http://www.twcert.org.tw/tw/cp-132-4403-8eb68-1.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Soar Cloud System HR Portal