【Vulnerability Alert】Multiple High-Risk Security Vulnerabilities (CVE-2023-48392 to CVE-2023-48395) in 凱發科技 WebITR Attendance System - Please Verify and Patch Immediately!
publish date :
2024-04-02
update date :
2024-04-15
Source: Ministry of education information & communication security contingency platform
| Publication Number | TACERT-ANA-2024040110045353 | Publication Time | 2024/03/29 10:46 |
| Incident Type | ANA-Vulnerability Alert | Discovery Time | 2024/04/01 10:46 |
| Impact Level | Medium | ||
| [Subject] 【Vulnerability Alert】Multiple High-Risk Security Vulnerabilities (CVE-2023-48392 to CVE-2023-48395) in 凱發科技 WebITR Attendance System - Please Verify and Patch Immediately! |
|||
| [Content] Forwarded from the National Institute of Cyber Security NISAC-200-202403-00000178 Researchers have discovered multiple high-risk security vulnerabilities (CVE-2023-48392 to CVE-2023-48395) in the 凱發科技 WebITR Attendance System. Notably, the vulnerabilities CVE-2023-48392 and CVE-2023-48394 have a severity score of 8.8 or above. These vulnerabilities are currently being exploited by hackers. Please verify and patch them as soon as possible. ● CVE-2023-48392: The WebITR Attendance System uses a fixed encryption key. Remote attackers can generate a valid token parameter, allowing them to log into the system with any user identity, access system data, and execute related processes. ● CVE-2023-48394: The upload function of the WebITR Attendance System does not check the uploaded files and allows files to be uploaded to any location. Remote attackers, after logging into the system with general user permissions, can upload any file, leading to the execution of arbitrary code or disruption of system services. Information Sharing Level: WHITE (Information content can be publicly disclosed) |
|||
| [Affected Platform] ● WebITR Attendance System 2_1_0_19 (including this version and below) |
|||
| [Recommended Actions] The official patch for the vulnerabilities has been released. Please update to the following versions: ● WebITR Attendance System 2_1_0_23 (including this version and above) |
|||
| [Reference] | |||
(This notification is for informational purposes only and does not constitute a cybersecurity incident).
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw
Organizer:
Computer Center
