Lucene search

TwcertCVELIST:CVE-2021-35967

HistoryJul 19, 2021 - 11:55 a.m.

CVE-2021-35967 Learningdigital.com, Inc. Orca HCM - Path Traversal-1

2021-07-1911:55:45

CWE-22

twcert

www.cve.org

orca hcm

directory traversal

remote attackers

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.7

Confidence

High

EPSS

0.001

Percentile

44.6%

JSON

The directory page parameter of the Orca HCM digital learning platform does not filter special characters. Remote attackers can access the system directory thru Path Traversal without logging in.

CNA Affected

[
  {
    "product": "Orca HCM",
    "vendor": "Learningdigital.com, Inc.",
    "versions": [
      {
        "lessThanOrEqual": "10.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25

www.twcert.org.tw/tw/cp-132-4927-bbf01-1.html

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.7

Confidence

High

EPSS

0.001

Percentile

44.6%

JSON

Related for CVELIST:CVE-2021-35967