Lucene search

TwcertCVELIST:CVE-2021-35963

HistoryJul 19, 2021 - 11:55 a.m.

CVE-2021-35963 Learningdigital.com, Inc. Orca HCM - Unrestricted Upload of File with Dangerous Type

2021-07-1911:55:38

CWE-434

twcert

www.cve.org

orca hcm

remote attackers

upload

malicious files

rce attacks

file format filtering

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.9

Confidence

High

EPSS

0.004

Percentile

73.7%

JSON

The specific parameter of upload function of the Orca HCM digital learning platform does not filter file format, which allows remote unauthenticated attackers to upload files containing malicious script to execute RCE attacks.

CNA Affected

[
  {
    "product": "Orca HCM",
    "vendor": "Learningdigital.com, Inc.",
    "versions": [
      {
        "lessThanOrEqual": "10.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

www.chtsecurity.com/news/ba7b3ae7-14f3-4970-b3f6-4d97d8c7ea25

www.twcert.org.tw/tw/cp-132-4923-d68e6-1.html

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.9

Confidence

High

EPSS

0.004

Percentile

73.7%

JSON

Related for CVELIST:CVE-2021-35963