23 lines
No EOL
1 KiB
Text
23 lines
No EOL
1 KiB
Text
# Exploit Title: Newgen Correspondence Management System (corms) eGov 12.0 - IDOR
|
|
# Date: 29 Dec 2020
|
|
# Exploit Author: ALI AL SINAN
|
|
# Vendor Homepage: https://newgensoft.com
|
|
# Software Link: https://newgensoft.com/solutions/industries/government/e-gov-office/
|
|
# Version: eGov 12.0
|
|
# Tested on: JBoss EAP 7
|
|
# CVE : CVE-2020-35737
|
|
-----------------------------------------------------
|
|
|
|
Description:
|
|
|
|
Correspondence management is the process of handling official incoming and outgoing correspondence in government agencies. The word “correspondence” in this context refers to physical letters, direct e-delivery, emails and faxes along with all their attachments that are received by the government agencies.
|
|
|
|
-----------------------------------------------------
|
|
|
|
Vulnerability:
|
|
|
|
Affected URL:
|
|
http://server/corms/dist/#/web/home/workdesk/inbox
|
|
|
|
Vulnerability Description:
|
|
user can manipulate parameter “UserIndex” in personal setting page. this parameter can allow un-authorized access to view or change other user's personal information. |