2021-10-01 10:56:25 +00:00
id : qihang-media-disclosure
2021-10-01 06:42:48 +00:00
info :
2022-05-30 16:17:42 +00:00
name : QiHang Media Web Digital Signage 3.0.9 - Cleartext Credentials Disclosure
2021-10-01 06:42:48 +00:00
author : gy741
2022-05-30 16:17:42 +00:00
severity : high
2022-05-31 09:12:37 +00:00
description : |
QiHang Media Web Digital Signage 3.0.9 suffers from a clear-text credentials disclosure vulnerability that allows an unauthenticated attacker to issue a request to an unprotected directory that hosts an XML file /xml/User/User.xml and obtain administrative login information that allows for a successful authentication bypass attack.
2022-04-22 10:38:41 +00:00
reference :
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5579.php
2022-05-30 16:17:42 +00:00
classification :
cvss-metrics : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score : 8.3
cwe-id : CWE-522
2021-10-01 06:42:48 +00:00
tags : qihang,exposure
2023-04-28 08:11:21 +00:00
metadata :
max-request : 1
2021-10-01 06:42:48 +00:00
2023-04-27 04:28:59 +00:00
http :
2021-10-01 06:42:48 +00:00
- method : GET
path :
- "{{BaseURL}}/xml/User/User.xml"
matchers :
- type : word
2022-05-31 09:12:37 +00:00
part : body
2021-10-01 06:42:48 +00:00
words :
2021-10-01 10:56:25 +00:00
- "<?xml version"
- "<Users>"
- "account="
- "password="
2021-10-01 06:42:48 +00:00
condition : and