Search criteria
1 vulnerability by szjocat
CVE-2023-6099 (GCVE-0-2023-6099)
Vulnerability from cvelistv5 – Published: 2023-11-13 15:31 – Updated: 2025-01-08 21:30
VLAI
Title
Shenzhen Youkate Industrial Facial Love Cloud Payment System Account SystemMng.ashx privileges management
Summary
A vulnerability classified as critical has been found in Shenzhen Youkate Industrial Facial Love Cloud Payment System up to 1.0.55.0.0.1. This affects an unknown part of the file /SystemMng.ashx of the component Account Handler. The manipulation of the argument operatorRole with the input 00 leads to improper privilege management. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-245061 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Severity
7.3 (High)
7.3 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.245061 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.245061 | signaturepermissions-required |
| https://github.com/gatsby2003/Shenzhen-Youkate-In… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Shenzhen Youkate Industrial | Facial Love Cloud Payment System |
Affected:
1.0.55.0.0.0
Affected: 1.0.55.0.0.1 |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:21:17.711Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.245061"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.245061"
},
{
"tags": [
"exploit",
"x_transferred"
],
"url": "https://github.com/gatsby2003/Shenzhen-Youkate-Industrial-Co.-Ltd/blob/main/Shenzhen%20Youkate%20Industrial%20Co.%2C%20Ltd.md"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6099",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-08T21:29:52.626602Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T21:30:08.312Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Account Handler"
],
"product": "Facial Love Cloud Payment System",
"vendor": "Shenzhen Youkate Industrial",
"versions": [
{
"status": "affected",
"version": "1.0.55.0.0.0"
},
{
"status": "affected",
"version": "1.0.55.0.0.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "analyst",
"value": "gatsby (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as critical has been found in Shenzhen Youkate Industrial Facial Love Cloud Payment System up to 1.0.55.0.0.1. This affects an unknown part of the file /SystemMng.ashx of the component Account Handler. The manipulation of the argument operatorRole with the input 00 leads to improper privilege management. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-245061 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in Shenzhen Youkate Industrial Facial Love Cloud Payment System bis 1.0.55.0.0.1 entdeckt. Sie wurde als kritisch eingestuft. Hiervon betroffen ist ein unbekannter Codeblock der Datei /SystemMng.ashx der Komponente Account Handler. Durch die Manipulation des Arguments operatorRole mit der Eingabe 00 mit unbekannten Daten kann eine improper privilege management-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-13T15:31:04.608Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.245061"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.245061"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/gatsby2003/Shenzhen-Youkate-Industrial-Co.-Ltd/blob/main/Shenzhen%20Youkate%20Industrial%20Co.%2C%20Ltd.md"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-11-13T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-11-13T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2023-11-13T11:17:18.000Z",
"value": "VulDB entry last update"
}
],
"title": "Shenzhen Youkate Industrial Facial Love Cloud Payment System Account SystemMng.ashx privileges management"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-6099",
"datePublished": "2023-11-13T15:31:04.608Z",
"dateReserved": "2023-11-13T10:11:02.790Z",
"dateUpdated": "2025-01-08T21:30:08.312Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}