cbcvebase.
CVE-2023-6655
published 2023-12-10

CVE-2023-6655: A vulnerability, which was classified as critical, has been found in Hongjing e-HR 2020. Affected by this issue is some unknown functionality of the file…

PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.77%
88.6th percentile
A vulnerability, which was classified as critical, has been found in Hongjing e-HR 2020. Affected by this issue is some unknown functionality of the file /w_selfservice/oauthservlet/%2e./.%2e/general/inform/org/loadhistroyorgtree of the component Login Interface. The manipulation of the argument parentid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-247358 is the identifier assigned to this vulnerability.

Affected

2 ranges
VendorProductVersion rangeFixed in
hongjinge-hr
hrp2000e-hr

Detection & IOCsextracted from sources · hover to see the quote

path/w_selfservice/oauthservlet/%2e./.%2e/general/inform/org/loadhistroyorgtree
url/w_selfservice/oauthservlet/%2e./.%2e/general/inform/org/loadhistroyorgtree?isroot=child&parentid=1%27%3BWAITFOR+DELAY+%270%3A0%3A6%27--&kind=2&catalog_id=11&issuperuser=111&manageprive=111&action=111&target=
commandparentid=1%27%3BWAITFOR+DELAY+%270%3A0%3A6%27--
  • Detect exploitation attempts by matching HTTP requests to the path containing the path-traversal sequence '%2e./.%2e' targeting the loadhistroyorgtree endpoint, which bypasses authentication at the Login Interface.
  • Detect time-based blind SQL injection via the 'parentid' parameter containing a WAITFOR DELAY payload (e.g., WAITFOR DELAY '0:0:6') in requests to the vulnerable endpoint.
  • Use time-based detection: a response duration >= 6 seconds to the crafted request indicates successful SQL injection exploitation.
  • Fingerprint vulnerable Hongjing e-HR instances by searching for the page title '人力资源信息管理系统' or body content containing '/hcm/themes/' to identify exposed targets.
  • The attack requires no authentication (PR:N, UI:N) and is exploitable remotely over the network (AV:N), making unauthenticated scanning for this endpoint high priority.
  • ·The SQL injection payload uses WAITFOR DELAY (MSSQL-specific syntax), indicating the backend database must be Microsoft SQL Server for this specific exploit to work.
  • ·The vulnerable path uses URL-encoded path traversal (%2e./.%2e) to bypass authentication at the oauthservlet endpoint; detection rules must account for both encoded and decoded forms of the traversal sequence.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.