CVE-2022-27055

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-27055
ecjia-daojia 1.38.1-20210202629 is vulnerable to information leakage via content/apps/installer/classes/Helper.php. When the web program is installed, a new environment file is created, and the database information is recorded, including the database record password. NOTE: the vendor disputes this because the environment file is in the data directory, which is not intended for access by website visitors (only the statics directory can be accessed by website visitors)

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References
Link Resource
https://github.com/ecjia/ecjia-daojia/blob/dfb322387e8d3d50719e44d23d793072616ff789/content/apps/installer/classes/Controllers/IndexController.php#L74-L78 Exploit Third Party Advisory
https://github.com/ecjia/ecjia-daojia/blob/dfb322387e8d3d50719e44d23d793072616ff789/content/apps/installer/classes/Helper.php#L312-L318 Exploit Third Party Advisory
https://github.com/ecjia/ecjia-daojia/issues/20 Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:ecjia:daojia:1.38.1-20210202629:*:*:*:*:*:*:*
History

07 Nov 2023, 03:45

Type Values Removed Values Added
Summary ** DISPUTED ** ecjia-daojia 1.38.1-20210202629 is vulnerable to information leakage via content/apps/installer/classes/Helper.php. When the web program is installed, a new environment file is created, and the database information is recorded, including the database record password. NOTE: the vendor disputes this because the environment file is in the data directory, which is not intended for access by website visitors (only the statics directory can be accessed by website visitors). ecjia-daojia 1.38.1-20210202629 is vulnerable to information leakage via content/apps/installer/classes/Helper.php. When the web program is installed, a new environment file is created, and the database information is recorded, including the database record password. NOTE: the vendor disputes this because the environment file is in the data directory, which is not intended for access by website visitors (only the statics directory can be accessed by website visitors)

27 Apr 2022, 18:48

Type Values Removed Values Added
First Time Ecjia daojia
Ecjia
CWE CWE-863
CVSS v2 : unknown
v3 : unknown 		v2 : 5.0
v3 : 7.5
CPE cpe:2.3:a:ecjia:daojia:1.38.1-20210202629:*:*:*:*:*:*:*
References (MISC) https://github.com/ecjia/ecjia-daojia/issues/20 - (MISC) https://github.com/ecjia/ecjia-daojia/issues/20 - Third Party Advisory
References (MISC) https://github.com/ecjia/ecjia-daojia/blob/dfb322387e8d3d50719e44d23d793072616ff789/content/apps/installer/classes/Controllers/IndexController.php#L74-L78 - (MISC) https://github.com/ecjia/ecjia-daojia/blob/dfb322387e8d3d50719e44d23d793072616ff789/content/apps/installer/classes/Controllers/IndexController.php#L74-L78 - Exploit, Third Party Advisory
References (MISC) https://github.com/ecjia/ecjia-daojia/blob/dfb322387e8d3d50719e44d23d793072616ff789/content/apps/installer/classes/Helper.php#L312-L318 - (MISC) https://github.com/ecjia/ecjia-daojia/blob/dfb322387e8d3d50719e44d23d793072616ff789/content/apps/installer/classes/Helper.php#L312-L318 - Exploit, Third Party Advisory

19 Apr 2022, 17:41

Type Values Removed Values Added
New CVE
Information

Published : 2022-04-19 17:15

Updated : 2024-04-11 01:15

NVD link : CVE-2022-27055

Mitre link : CVE-2022-27055

CVE.ORG link : CVE-2022-27055

JSON object : View

Products Affected

ecjia

  • daojia
CWE
CWE-863

Incorrect Authorization