Search

Find a vulnerability

Search criteria

    18 vulnerabilities by Soar Cloud System CO., LTD.

    CVE-2025-5192 (GCVE-0-2025-5192)

    Vulnerability from nvd – Published: 2025-06-06 09:15 – Updated: 2025-06-06 13:59
    VLAI
    Title
    Soar Cloud HRD Human Resource Management System - Missing Authentication for Critical Function
    Summary
    A missing authentication for critical function vulnerability in the client application of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to bypass authentication and access application functions.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    References
    URL Tags
    https://zuso.ai/advisory/za-2025-04 third-party-advisory
    Impacted products
    Date Public
    2025-06-06 04:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-5192",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-06T13:59:33.836809Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-06T13:59:48.427Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "HRD Human Resource Management System",
              "vendor": "Soar Cloud System CO., LTD.",
              "versions": [
                {
                  "lessThanOrEqual": "7.3.2025.0408",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2025-06-06T04:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A missing authentication for critical function vulnerability in the client application of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to bypass authentication and access application functions."
                }
              ],
              "value": "A missing authentication for critical function vulnerability in the client application of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to bypass authentication and access application functions."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306 Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-06T09:15:17.081Z",
            "orgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
            "shortName": "ZUSO ART"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://zuso.ai/advisory/za-2025-04"
            }
          ],
          "source": {
            "defect": [
              "ZA-2025-04"
            ],
            "discovery": "UNKNOWN"
          },
          "title": "Soar Cloud HRD Human Resource Management System - Missing Authentication for Critical Function",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
        "assignerShortName": "ZUSO ART",
        "cveId": "CVE-2025-5192",
        "datePublished": "2025-06-06T09:15:17.081Z",
        "dateReserved": "2025-05-26T06:22:57.842Z",
        "dateUpdated": "2025-06-06T13:59:48.427Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-48784 (GCVE-0-2025-48784)

    Vulnerability from nvd – Published: 2025-06-06 09:28 – Updated: 2025-06-06 15:43
    VLAI
    Title
    Soar Cloud HRD Human Resource Management System - Missing Authorization
    Summary
    A missing authorization vulnerability in Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to modify system settings without prior authorization.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://zuso.ai/advisory/za-2025-09 third-party-advisory
    Impacted products
    Date Public
    2025-06-06 04:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-48784",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-06T15:42:21.194815Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-06T15:43:27.120Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "HRD Human Resource Management System",
              "vendor": "Soar Cloud System CO., LTD.",
              "versions": [
                {
                  "lessThanOrEqual": "7.3.2025.0408",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2025-06-06T04:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A missing authorization vulnerability in Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to modify system settings without prior authorization."
                }
              ],
              "value": "A missing authorization vulnerability in Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to modify system settings without prior authorization."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-06T09:28:39.751Z",
            "orgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
            "shortName": "ZUSO ART"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://zuso.ai/advisory/za-2025-09"
            }
          ],
          "source": {
            "defect": [
              "ZA-2025-09"
            ],
            "discovery": "UNKNOWN"
          },
          "title": "Soar Cloud HRD Human Resource Management System - Missing Authorization",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
        "assignerShortName": "ZUSO ART",
        "cveId": "CVE-2025-48784",
        "datePublished": "2025-06-06T09:28:39.751Z",
        "dateReserved": "2025-05-26T06:21:43.118Z",
        "dateUpdated": "2025-06-06T15:43:27.120Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-48783 (GCVE-0-2025-48783)

    Vulnerability from nvd – Published: 2025-06-06 09:27 – Updated: 2025-06-06 15:46
    VLAI
    Title
    Soar Cloud HRD Human Resource Management System - External Control of File Name or Path
    Summary
    An external control of file name or path vulnerability in the delete file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to delete partial files by specifying arbitrary file paths.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-73 - External Control of File Name or Path
    Assigner
    References
    URL Tags
    https://zuso.ai/advisory/za-2025-08 third-party-advisory
    Impacted products
    Date Public
    2025-06-06 04:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-48783",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-06T15:44:25.978152Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-06T15:46:21.188Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "HRD Human Resource Management System",
              "vendor": "Soar Cloud System CO., LTD.",
              "versions": [
                {
                  "lessThanOrEqual": "7.3.2025.0408",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2025-06-06T04:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An external control of file name or path vulnerability in the delete file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to delete partial files by specifying arbitrary file paths."
                }
              ],
              "value": "An external control of file name or path vulnerability in the delete file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to delete partial files by specifying arbitrary file paths."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-73",
                  "description": "CWE-73 External Control of File Name or Path",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-06T09:27:01.375Z",
            "orgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
            "shortName": "ZUSO ART"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://zuso.ai/advisory/za-2025-08"
            }
          ],
          "source": {
            "defect": [
              "ZA-2025-08"
            ],
            "discovery": "UNKNOWN"
          },
          "title": "Soar Cloud HRD Human Resource Management System - External Control of File Name or Path",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
        "assignerShortName": "ZUSO ART",
        "cveId": "CVE-2025-48783",
        "datePublished": "2025-06-06T09:27:01.375Z",
        "dateReserved": "2025-05-26T06:21:43.118Z",
        "dateUpdated": "2025-06-06T15:46:21.188Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-48782 (GCVE-0-2025-48782)

    Vulnerability from nvd – Published: 2025-06-06 09:24 – Updated: 2025-06-06 15:52
    VLAI
    Title
    Soar Cloud HRD Human Resource Management System - Unrestricted Upload of File with Dangerous Type
    Summary
    An unrestricted upload of file with dangerous type vulnerability in the upload file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to execute arbitrary system commands via a malicious file.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    References
    URL Tags
    https://zuso.ai/advisory/za-2025-07 third-party-advisory
    Impacted products
    Date Public
    2025-06-06 04:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-48782",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-06T15:51:16.308498Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-06T15:52:16.480Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "HRD Human Resource Management System",
              "vendor": "Soar Cloud System CO., LTD.",
              "versions": [
                {
                  "lessThanOrEqual": "7.3.2025.0408",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2025-06-06T04:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An unrestricted upload of file with dangerous type vulnerability in the upload file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to execute arbitrary system commands via a malicious file."
                }
              ],
              "value": "An unrestricted upload of file with dangerous type vulnerability in the upload file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to execute arbitrary system commands via a malicious file."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-06T09:24:17.416Z",
            "orgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
            "shortName": "ZUSO ART"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://zuso.ai/advisory/za-2025-07"
            }
          ],
          "source": {
            "defect": [
              "ZA-2025-07"
            ],
            "discovery": "UNKNOWN"
          },
          "title": "Soar Cloud HRD Human Resource Management System - Unrestricted Upload of File with Dangerous Type",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
        "assignerShortName": "ZUSO ART",
        "cveId": "CVE-2025-48782",
        "datePublished": "2025-06-06T09:24:17.416Z",
        "dateReserved": "2025-05-26T06:21:43.117Z",
        "dateUpdated": "2025-06-06T15:52:16.480Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-48781 (GCVE-0-2025-48781)

    Vulnerability from nvd – Published: 2025-06-06 09:21 – Updated: 2025-06-06 16:57
    VLAI
    Title
    Soar Cloud HRD Human Resource Management System - External Control of File Name or Path
    Summary
    An external control of file name or path vulnerability in the download file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to obtain partial files by specifying arbitrary file paths.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-73 - External Control of File Name or Path
    Assigner
    References
    URL Tags
    https://zuso.ai/advisory/za-2025-06 third-party-advisory
    Impacted products
    Date Public
    2025-06-06 04:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-48781",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-06T16:51:27.381357Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-06T16:57:16.260Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "HRD Human Resource Management System",
              "vendor": "Soar Cloud System CO., LTD.",
              "versions": [
                {
                  "lessThanOrEqual": "7.3.2025.0408",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2025-06-06T04:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An external control of file name or path vulnerability in the download file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to obtain partial files by specifying arbitrary file paths."
                }
              ],
              "value": "An external control of file name or path vulnerability in the download file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to obtain partial files by specifying arbitrary file paths."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-73",
                  "description": "CWE-73: External Control of File Name or Path",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-06T09:21:58.306Z",
            "orgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
            "shortName": "ZUSO ART"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://zuso.ai/advisory/za-2025-06"
            }
          ],
          "source": {
            "defect": [
              "ZA-2025-06"
            ],
            "discovery": "UNKNOWN"
          },
          "title": "Soar Cloud HRD Human Resource Management System - External Control of File Name or Path",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
        "assignerShortName": "ZUSO ART",
        "cveId": "CVE-2025-48781",
        "datePublished": "2025-06-06T09:21:58.306Z",
        "dateReserved": "2025-05-26T06:21:43.117Z",
        "dateUpdated": "2025-06-06T16:57:16.260Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-48780 (GCVE-0-2025-48780)

    Vulnerability from nvd – Published: 2025-06-06 09:19 – Updated: 2025-06-06 17:01
    VLAI
    Title
    Soar Cloud HRD Human Resource Management System - Deserialization of Untrusted Data
    Summary
    A deserialization of untrusted data vulnerability in the download file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to execute arbitrary system commands via a crafted serialized object.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    References
    URL Tags
    https://zuso.ai/advisory/za-2025-05 third-party-advisory
    Impacted products
    Date Public
    2025-06-06 04:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-48780",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-06T16:59:11.139289Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-06T17:01:45.638Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "HRD Human Resource Management System",
              "vendor": "Soar Cloud System CO., LTD.",
              "versions": [
                {
                  "lessThanOrEqual": "7.3.2025.0408",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2025-06-06T04:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A deserialization of untrusted data vulnerability in the download file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to execute arbitrary system commands via a crafted serialized object."
                }
              ],
              "value": "A deserialization of untrusted data vulnerability in the download file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to execute arbitrary system commands via a crafted serialized object."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-06T09:19:04.101Z",
            "orgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
            "shortName": "ZUSO ART"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://zuso.ai/advisory/za-2025-05"
            }
          ],
          "source": {
            "defect": [
              "ZA-2025-05"
            ],
            "discovery": "UNKNOWN"
          },
          "title": "Soar Cloud HRD Human Resource Management System - Deserialization of Untrusted Data",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
        "assignerShortName": "ZUSO ART",
        "cveId": "CVE-2025-48780",
        "datePublished": "2025-06-06T09:19:04.101Z",
        "dateReserved": "2025-05-26T06:21:43.117Z",
        "dateUpdated": "2025-06-06T17:01:45.638Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-22855 (GCVE-0-2021-22855)

    Vulnerability from nvd – Published: 2021-02-17 13:30 – Updated: 2024-09-16 20:52
    VLAI
    Title
    Soar Cloud System Co., Ltd. HR Portal - Arbitrary Code Execution
    Summary
    The specific function of HR Portal of Soar Cloud System accepts any type of object to be deserialized. Attackers can send malicious serialized objects to execute arbitrary commands.
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    References
    Impacted products
    Date Public
    2021-02-17 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T18:51:07.567Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.twcert.org.tw/tw/cp-132-4405-2ddde-1.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "HR Portal",
              "vendor": "Soar Cloud System Co., Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "0 7.3.2020.1013"
                }
              ]
            }
          ],
          "datePublic": "2021-02-17T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The specific function of HR Portal of Soar Cloud System accepts any type of object to be deserialized. Attackers can send malicious serialized objects to execute arbitrary commands."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-19T18:37:04.000Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-4405-2ddde-1.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update to version 7.3.2020.1110"
            }
          ],
          "source": {
            "advisory": "TVN-202101009",
            "discovery": "EXTERNAL"
          },
          "title": "Soar Cloud System Co., Ltd. HR Portal - Arbitrary Code Execution",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "TWCERT/CC",
              "ASSIGNER": "cve@cert.org.tw",
              "DATE_PUBLIC": "2021-02-17T13:19:00.000Z",
              "ID": "CVE-2021-22855",
              "STATE": "PUBLIC",
              "TITLE": "Soar Cloud System Co., Ltd. HR Portal - Arbitrary Code Execution"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "HR Portal",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_name": "0",
                                "version_value": "7.3.2020.1013"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Soar Cloud System Co., Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The specific function of HR Portal of Soar Cloud System accepts any type of object to be deserialized. Attackers can send malicious serialized objects to execute arbitrary commands."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-502 Deserialization of Untrusted Data"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.twcert.org.tw/tw/cp-132-4405-2ddde-1.html",
                  "refsource": "MISC",
                  "url": "https://www.twcert.org.tw/tw/cp-132-4405-2ddde-1.html"
                },
                {
                  "name": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e",
                  "refsource": "CONFIRM",
                  "url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update to version 7.3.2020.1110"
              }
            ],
            "source": {
              "advisory": "TVN-202101009",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2021-22855",
        "datePublished": "2021-02-17T13:30:20.743Z",
        "dateReserved": "2021-01-06T00:00:00.000Z",
        "dateUpdated": "2024-09-16T20:52:52.968Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-22854 (GCVE-0-2021-22854)

    Vulnerability from nvd – Published: 2021-02-17 13:30 – Updated: 2024-09-16 22:56
    VLAI
    Title
    Soar Cloud System Co., Ltd. HR Portal - SQL Injection
    Summary
    The HR Portal of Soar Cloud System fails to filter specific parameters. Remote attackers can inject SQL syntax and obtain all data in the database without privilege.
    CWE
    Assigner
    References
    Impacted products
    Date Public
    2021-02-17 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T18:51:07.628Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.twcert.org.tw/tw/cp-132-4404-3f498-1.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "HR Portal",
              "vendor": "Soar Cloud System Co., Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "0 7.3.2020.1013"
                }
              ]
            }
          ],
          "datePublic": "2021-02-17T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The HR Portal of Soar Cloud System fails to filter specific parameters. Remote attackers can inject SQL syntax and obtain all data in the database without privilege."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-19T18:36:53.000Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-4404-3f498-1.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update to version 7.3.2020.1110"
            }
          ],
          "source": {
            "advisory": "TVN-202101008",
            "discovery": "EXTERNAL"
          },
          "title": "Soar Cloud System Co., Ltd. HR Portal - SQL Injection",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "TWCERT/CC",
              "ASSIGNER": "cve@cert.org.tw",
              "DATE_PUBLIC": "2021-02-17T13:19:00.000Z",
              "ID": "CVE-2021-22854",
              "STATE": "PUBLIC",
              "TITLE": "Soar Cloud System Co., Ltd. HR Portal - SQL Injection"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "HR Portal",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_name": "0",
                                "version_value": "7.3.2020.1013"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Soar Cloud System Co., Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The HR Portal of Soar Cloud System fails to filter specific parameters. Remote attackers can inject SQL syntax and obtain all data in the database without privilege."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-89 SQL Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.twcert.org.tw/tw/cp-132-4404-3f498-1.html",
                  "refsource": "MISC",
                  "url": "https://www.twcert.org.tw/tw/cp-132-4404-3f498-1.html"
                },
                {
                  "name": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e",
                  "refsource": "CONFIRM",
                  "url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update to version 7.3.2020.1110"
              }
            ],
            "source": {
              "advisory": "TVN-202101008",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2021-22854",
        "datePublished": "2021-02-17T13:30:20.119Z",
        "dateReserved": "2021-01-06T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:56:59.729Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-22853 (GCVE-0-2021-22853)

    Vulnerability from nvd – Published: 2021-02-17 13:30 – Updated: 2024-09-17 04:04
    VLAI
    Title
    Soar Cloud System Co., Ltd. HR Portal - Broken Access Control
    Summary
    The HR Portal of Soar Cloud System fails to manage access control. While obtaining user ID, remote attackers can access sensitive data via a specific data packet, such as user’s login information, further causing the login function not to work.
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Date Public
    2021-02-17 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T18:51:07.564Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.twcert.org.tw/tw/cp-132-4403-8eb68-1.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "HR Portal",
              "vendor": "Soar Cloud System Co., Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "0 7.3.2020.1013"
                }
              ]
            }
          ],
          "datePublic": "2021-02-17T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The HR Portal of Soar Cloud System fails to manage access control. While obtaining user ID, remote attackers can access sensitive data via a specific data packet, such as user\u2019s login information, further causing the login function not to work."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-19T18:36:38.000Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-4403-8eb68-1.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update to version 7.3.2020.1110"
            }
          ],
          "source": {
            "advisory": "TVN-202101007",
            "discovery": "EXTERNAL"
          },
          "title": "Soar Cloud System Co., Ltd. HR Portal - Broken Access Control",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "TWCERT/CC",
              "ASSIGNER": "cve@cert.org.tw",
              "DATE_PUBLIC": "2021-02-17T13:19:00.000Z",
              "ID": "CVE-2021-22853",
              "STATE": "PUBLIC",
              "TITLE": "Soar Cloud System Co., Ltd. HR Portal - Broken Access Control"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "HR Portal",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_name": "0",
                                "version_value": "7.3.2020.1013"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Soar Cloud System Co., Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The HR Portal of Soar Cloud System fails to manage access control. While obtaining user ID, remote attackers can access sensitive data via a specific data packet, such as user\u2019s login information, further causing the login function not to work."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-284 Improper Access Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.twcert.org.tw/tw/cp-132-4403-8eb68-1.html",
                  "refsource": "MISC",
                  "url": "https://www.twcert.org.tw/tw/cp-132-4403-8eb68-1.html"
                },
                {
                  "name": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e",
                  "refsource": "CONFIRM",
                  "url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update to version 7.3.2020.1110"
              }
            ],
            "source": {
              "advisory": "TVN-202101007",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2021-22853",
        "datePublished": "2021-02-17T13:30:19.537Z",
        "dateReserved": "2021-01-06T00:00:00.000Z",
        "dateUpdated": "2024-09-17T04:04:36.098Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-48784 (GCVE-0-2025-48784)

    Vulnerability from cvelistv5 – Published: 2025-06-06 09:28 – Updated: 2025-06-06 15:43
    VLAI
    Title
    Soar Cloud HRD Human Resource Management System - Missing Authorization
    Summary
    A missing authorization vulnerability in Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to modify system settings without prior authorization.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://zuso.ai/advisory/za-2025-09 third-party-advisory
    Impacted products
    Date Public
    2025-06-06 04:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-48784",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-06T15:42:21.194815Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-06T15:43:27.120Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "HRD Human Resource Management System",
              "vendor": "Soar Cloud System CO., LTD.",
              "versions": [
                {
                  "lessThanOrEqual": "7.3.2025.0408",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2025-06-06T04:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A missing authorization vulnerability in Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to modify system settings without prior authorization."
                }
              ],
              "value": "A missing authorization vulnerability in Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to modify system settings without prior authorization."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-06T09:28:39.751Z",
            "orgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
            "shortName": "ZUSO ART"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://zuso.ai/advisory/za-2025-09"
            }
          ],
          "source": {
            "defect": [
              "ZA-2025-09"
            ],
            "discovery": "UNKNOWN"
          },
          "title": "Soar Cloud HRD Human Resource Management System - Missing Authorization",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
        "assignerShortName": "ZUSO ART",
        "cveId": "CVE-2025-48784",
        "datePublished": "2025-06-06T09:28:39.751Z",
        "dateReserved": "2025-05-26T06:21:43.118Z",
        "dateUpdated": "2025-06-06T15:43:27.120Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-48783 (GCVE-0-2025-48783)

    Vulnerability from cvelistv5 – Published: 2025-06-06 09:27 – Updated: 2025-06-06 15:46
    VLAI
    Title
    Soar Cloud HRD Human Resource Management System - External Control of File Name or Path
    Summary
    An external control of file name or path vulnerability in the delete file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to delete partial files by specifying arbitrary file paths.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-73 - External Control of File Name or Path
    Assigner
    References
    URL Tags
    https://zuso.ai/advisory/za-2025-08 third-party-advisory
    Impacted products
    Date Public
    2025-06-06 04:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-48783",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-06T15:44:25.978152Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-06T15:46:21.188Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "HRD Human Resource Management System",
              "vendor": "Soar Cloud System CO., LTD.",
              "versions": [
                {
                  "lessThanOrEqual": "7.3.2025.0408",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2025-06-06T04:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An external control of file name or path vulnerability in the delete file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to delete partial files by specifying arbitrary file paths."
                }
              ],
              "value": "An external control of file name or path vulnerability in the delete file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to delete partial files by specifying arbitrary file paths."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-73",
                  "description": "CWE-73 External Control of File Name or Path",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-06T09:27:01.375Z",
            "orgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
            "shortName": "ZUSO ART"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://zuso.ai/advisory/za-2025-08"
            }
          ],
          "source": {
            "defect": [
              "ZA-2025-08"
            ],
            "discovery": "UNKNOWN"
          },
          "title": "Soar Cloud HRD Human Resource Management System - External Control of File Name or Path",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
        "assignerShortName": "ZUSO ART",
        "cveId": "CVE-2025-48783",
        "datePublished": "2025-06-06T09:27:01.375Z",
        "dateReserved": "2025-05-26T06:21:43.118Z",
        "dateUpdated": "2025-06-06T15:46:21.188Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-48782 (GCVE-0-2025-48782)

    Vulnerability from cvelistv5 – Published: 2025-06-06 09:24 – Updated: 2025-06-06 15:52
    VLAI
    Title
    Soar Cloud HRD Human Resource Management System - Unrestricted Upload of File with Dangerous Type
    Summary
    An unrestricted upload of file with dangerous type vulnerability in the upload file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to execute arbitrary system commands via a malicious file.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    References
    URL Tags
    https://zuso.ai/advisory/za-2025-07 third-party-advisory
    Impacted products
    Date Public
    2025-06-06 04:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-48782",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-06T15:51:16.308498Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-06T15:52:16.480Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "HRD Human Resource Management System",
              "vendor": "Soar Cloud System CO., LTD.",
              "versions": [
                {
                  "lessThanOrEqual": "7.3.2025.0408",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2025-06-06T04:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An unrestricted upload of file with dangerous type vulnerability in the upload file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to execute arbitrary system commands via a malicious file."
                }
              ],
              "value": "An unrestricted upload of file with dangerous type vulnerability in the upload file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to execute arbitrary system commands via a malicious file."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-06T09:24:17.416Z",
            "orgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
            "shortName": "ZUSO ART"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://zuso.ai/advisory/za-2025-07"
            }
          ],
          "source": {
            "defect": [
              "ZA-2025-07"
            ],
            "discovery": "UNKNOWN"
          },
          "title": "Soar Cloud HRD Human Resource Management System - Unrestricted Upload of File with Dangerous Type",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
        "assignerShortName": "ZUSO ART",
        "cveId": "CVE-2025-48782",
        "datePublished": "2025-06-06T09:24:17.416Z",
        "dateReserved": "2025-05-26T06:21:43.117Z",
        "dateUpdated": "2025-06-06T15:52:16.480Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-48781 (GCVE-0-2025-48781)

    Vulnerability from cvelistv5 – Published: 2025-06-06 09:21 – Updated: 2025-06-06 16:57
    VLAI
    Title
    Soar Cloud HRD Human Resource Management System - External Control of File Name or Path
    Summary
    An external control of file name or path vulnerability in the download file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to obtain partial files by specifying arbitrary file paths.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-73 - External Control of File Name or Path
    Assigner
    References
    URL Tags
    https://zuso.ai/advisory/za-2025-06 third-party-advisory
    Impacted products
    Date Public
    2025-06-06 04:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-48781",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-06T16:51:27.381357Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-06T16:57:16.260Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "HRD Human Resource Management System",
              "vendor": "Soar Cloud System CO., LTD.",
              "versions": [
                {
                  "lessThanOrEqual": "7.3.2025.0408",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2025-06-06T04:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An external control of file name or path vulnerability in the download file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to obtain partial files by specifying arbitrary file paths."
                }
              ],
              "value": "An external control of file name or path vulnerability in the download file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to obtain partial files by specifying arbitrary file paths."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-73",
                  "description": "CWE-73: External Control of File Name or Path",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-06T09:21:58.306Z",
            "orgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
            "shortName": "ZUSO ART"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://zuso.ai/advisory/za-2025-06"
            }
          ],
          "source": {
            "defect": [
              "ZA-2025-06"
            ],
            "discovery": "UNKNOWN"
          },
          "title": "Soar Cloud HRD Human Resource Management System - External Control of File Name or Path",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
        "assignerShortName": "ZUSO ART",
        "cveId": "CVE-2025-48781",
        "datePublished": "2025-06-06T09:21:58.306Z",
        "dateReserved": "2025-05-26T06:21:43.117Z",
        "dateUpdated": "2025-06-06T16:57:16.260Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-48780 (GCVE-0-2025-48780)

    Vulnerability from cvelistv5 – Published: 2025-06-06 09:19 – Updated: 2025-06-06 17:01
    VLAI
    Title
    Soar Cloud HRD Human Resource Management System - Deserialization of Untrusted Data
    Summary
    A deserialization of untrusted data vulnerability in the download file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to execute arbitrary system commands via a crafted serialized object.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    References
    URL Tags
    https://zuso.ai/advisory/za-2025-05 third-party-advisory
    Impacted products
    Date Public
    2025-06-06 04:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-48780",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-06T16:59:11.139289Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-06T17:01:45.638Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "HRD Human Resource Management System",
              "vendor": "Soar Cloud System CO., LTD.",
              "versions": [
                {
                  "lessThanOrEqual": "7.3.2025.0408",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2025-06-06T04:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A deserialization of untrusted data vulnerability in the download file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to execute arbitrary system commands via a crafted serialized object."
                }
              ],
              "value": "A deserialization of untrusted data vulnerability in the download file function of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to execute arbitrary system commands via a crafted serialized object."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-06T09:19:04.101Z",
            "orgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
            "shortName": "ZUSO ART"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://zuso.ai/advisory/za-2025-05"
            }
          ],
          "source": {
            "defect": [
              "ZA-2025-05"
            ],
            "discovery": "UNKNOWN"
          },
          "title": "Soar Cloud HRD Human Resource Management System - Deserialization of Untrusted Data",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
        "assignerShortName": "ZUSO ART",
        "cveId": "CVE-2025-48780",
        "datePublished": "2025-06-06T09:19:04.101Z",
        "dateReserved": "2025-05-26T06:21:43.117Z",
        "dateUpdated": "2025-06-06T17:01:45.638Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-5192 (GCVE-0-2025-5192)

    Vulnerability from cvelistv5 – Published: 2025-06-06 09:15 – Updated: 2025-06-06 13:59
    VLAI
    Title
    Soar Cloud HRD Human Resource Management System - Missing Authentication for Critical Function
    Summary
    A missing authentication for critical function vulnerability in the client application of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to bypass authentication and access application functions.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    References
    URL Tags
    https://zuso.ai/advisory/za-2025-04 third-party-advisory
    Impacted products
    Date Public
    2025-06-06 04:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-5192",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-06T13:59:33.836809Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-06T13:59:48.427Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "HRD Human Resource Management System",
              "vendor": "Soar Cloud System CO., LTD.",
              "versions": [
                {
                  "lessThanOrEqual": "7.3.2025.0408",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2025-06-06T04:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A missing authentication for critical function vulnerability in the client application of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to bypass authentication and access application functions."
                }
              ],
              "value": "A missing authentication for critical function vulnerability in the client application of Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to bypass authentication and access application functions."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306 Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-06T09:15:17.081Z",
            "orgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
            "shortName": "ZUSO ART"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://zuso.ai/advisory/za-2025-04"
            }
          ],
          "source": {
            "defect": [
              "ZA-2025-04"
            ],
            "discovery": "UNKNOWN"
          },
          "title": "Soar Cloud HRD Human Resource Management System - Missing Authentication for Critical Function",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
        "assignerShortName": "ZUSO ART",
        "cveId": "CVE-2025-5192",
        "datePublished": "2025-06-06T09:15:17.081Z",
        "dateReserved": "2025-05-26T06:22:57.842Z",
        "dateUpdated": "2025-06-06T13:59:48.427Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-22855 (GCVE-0-2021-22855)

    Vulnerability from cvelistv5 – Published: 2021-02-17 13:30 – Updated: 2024-09-16 20:52
    VLAI
    Title
    Soar Cloud System Co., Ltd. HR Portal - Arbitrary Code Execution
    Summary
    The specific function of HR Portal of Soar Cloud System accepts any type of object to be deserialized. Attackers can send malicious serialized objects to execute arbitrary commands.
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    References
    Impacted products
    Date Public
    2021-02-17 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T18:51:07.567Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.twcert.org.tw/tw/cp-132-4405-2ddde-1.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "HR Portal",
              "vendor": "Soar Cloud System Co., Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "0 7.3.2020.1013"
                }
              ]
            }
          ],
          "datePublic": "2021-02-17T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The specific function of HR Portal of Soar Cloud System accepts any type of object to be deserialized. Attackers can send malicious serialized objects to execute arbitrary commands."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-19T18:37:04.000Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-4405-2ddde-1.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update to version 7.3.2020.1110"
            }
          ],
          "source": {
            "advisory": "TVN-202101009",
            "discovery": "EXTERNAL"
          },
          "title": "Soar Cloud System Co., Ltd. HR Portal - Arbitrary Code Execution",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "TWCERT/CC",
              "ASSIGNER": "cve@cert.org.tw",
              "DATE_PUBLIC": "2021-02-17T13:19:00.000Z",
              "ID": "CVE-2021-22855",
              "STATE": "PUBLIC",
              "TITLE": "Soar Cloud System Co., Ltd. HR Portal - Arbitrary Code Execution"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "HR Portal",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_name": "0",
                                "version_value": "7.3.2020.1013"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Soar Cloud System Co., Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The specific function of HR Portal of Soar Cloud System accepts any type of object to be deserialized. Attackers can send malicious serialized objects to execute arbitrary commands."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-502 Deserialization of Untrusted Data"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.twcert.org.tw/tw/cp-132-4405-2ddde-1.html",
                  "refsource": "MISC",
                  "url": "https://www.twcert.org.tw/tw/cp-132-4405-2ddde-1.html"
                },
                {
                  "name": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e",
                  "refsource": "CONFIRM",
                  "url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update to version 7.3.2020.1110"
              }
            ],
            "source": {
              "advisory": "TVN-202101009",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2021-22855",
        "datePublished": "2021-02-17T13:30:20.743Z",
        "dateReserved": "2021-01-06T00:00:00.000Z",
        "dateUpdated": "2024-09-16T20:52:52.968Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-22854 (GCVE-0-2021-22854)

    Vulnerability from cvelistv5 – Published: 2021-02-17 13:30 – Updated: 2024-09-16 22:56
    VLAI
    Title
    Soar Cloud System Co., Ltd. HR Portal - SQL Injection
    Summary
    The HR Portal of Soar Cloud System fails to filter specific parameters. Remote attackers can inject SQL syntax and obtain all data in the database without privilege.
    CWE
    Assigner
    References
    Impacted products
    Date Public
    2021-02-17 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T18:51:07.628Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.twcert.org.tw/tw/cp-132-4404-3f498-1.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "HR Portal",
              "vendor": "Soar Cloud System Co., Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "0 7.3.2020.1013"
                }
              ]
            }
          ],
          "datePublic": "2021-02-17T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The HR Portal of Soar Cloud System fails to filter specific parameters. Remote attackers can inject SQL syntax and obtain all data in the database without privilege."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-19T18:36:53.000Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-4404-3f498-1.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update to version 7.3.2020.1110"
            }
          ],
          "source": {
            "advisory": "TVN-202101008",
            "discovery": "EXTERNAL"
          },
          "title": "Soar Cloud System Co., Ltd. HR Portal - SQL Injection",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "TWCERT/CC",
              "ASSIGNER": "cve@cert.org.tw",
              "DATE_PUBLIC": "2021-02-17T13:19:00.000Z",
              "ID": "CVE-2021-22854",
              "STATE": "PUBLIC",
              "TITLE": "Soar Cloud System Co., Ltd. HR Portal - SQL Injection"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "HR Portal",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_name": "0",
                                "version_value": "7.3.2020.1013"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Soar Cloud System Co., Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The HR Portal of Soar Cloud System fails to filter specific parameters. Remote attackers can inject SQL syntax and obtain all data in the database without privilege."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-89 SQL Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.twcert.org.tw/tw/cp-132-4404-3f498-1.html",
                  "refsource": "MISC",
                  "url": "https://www.twcert.org.tw/tw/cp-132-4404-3f498-1.html"
                },
                {
                  "name": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e",
                  "refsource": "CONFIRM",
                  "url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update to version 7.3.2020.1110"
              }
            ],
            "source": {
              "advisory": "TVN-202101008",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2021-22854",
        "datePublished": "2021-02-17T13:30:20.119Z",
        "dateReserved": "2021-01-06T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:56:59.729Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-22853 (GCVE-0-2021-22853)

    Vulnerability from cvelistv5 – Published: 2021-02-17 13:30 – Updated: 2024-09-17 04:04
    VLAI
    Title
    Soar Cloud System Co., Ltd. HR Portal - Broken Access Control
    Summary
    The HR Portal of Soar Cloud System fails to manage access control. While obtaining user ID, remote attackers can access sensitive data via a specific data packet, such as user’s login information, further causing the login function not to work.
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Date Public
    2021-02-17 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T18:51:07.564Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.twcert.org.tw/tw/cp-132-4403-8eb68-1.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "HR Portal",
              "vendor": "Soar Cloud System Co., Ltd.",
              "versions": [
                {
                  "status": "affected",
                  "version": "0 7.3.2020.1013"
                }
              ]
            }
          ],
          "datePublic": "2021-02-17T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The HR Portal of Soar Cloud System fails to manage access control. While obtaining user ID, remote attackers can access sensitive data via a specific data packet, such as user\u2019s login information, further causing the login function not to work."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-19T18:36:38.000Z",
            "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
            "shortName": "twcert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.twcert.org.tw/tw/cp-132-4403-8eb68-1.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update to version 7.3.2020.1110"
            }
          ],
          "source": {
            "advisory": "TVN-202101007",
            "discovery": "EXTERNAL"
          },
          "title": "Soar Cloud System Co., Ltd. HR Portal - Broken Access Control",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "TWCERT/CC",
              "ASSIGNER": "cve@cert.org.tw",
              "DATE_PUBLIC": "2021-02-17T13:19:00.000Z",
              "ID": "CVE-2021-22853",
              "STATE": "PUBLIC",
              "TITLE": "Soar Cloud System Co., Ltd. HR Portal - Broken Access Control"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "HR Portal",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_name": "0",
                                "version_value": "7.3.2020.1013"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Soar Cloud System Co., Ltd."
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The HR Portal of Soar Cloud System fails to manage access control. While obtaining user ID, remote attackers can access sensitive data via a specific data packet, such as user\u2019s login information, further causing the login function not to work."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-284 Improper Access Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.twcert.org.tw/tw/cp-132-4403-8eb68-1.html",
                  "refsource": "MISC",
                  "url": "https://www.twcert.org.tw/tw/cp-132-4403-8eb68-1.html"
                },
                {
                  "name": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e",
                  "refsource": "CONFIRM",
                  "url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update to version 7.3.2020.1110"
              }
            ],
            "source": {
              "advisory": "TVN-202101007",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "assignerShortName": "twcert",
        "cveId": "CVE-2021-22853",
        "datePublished": "2021-02-17T13:30:19.537Z",
        "dateReserved": "2021-01-06T00:00:00.000Z",
        "dateUpdated": "2024-09-17T04:04:36.098Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }