CVE-2023-6655
published 2023-12-10CVE-2023-6655: A vulnerability, which was classified as critical, has been found in Hongjing e-HR 2020. Affected by this issue is some unknown functionality of the file…
PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.77%
88.6th percentile
A vulnerability, which was classified as critical, has been found in Hongjing e-HR 2020. Affected by this issue is some unknown functionality of the file /w_selfservice/oauthservlet/%2e./.%2e/general/inform/org/loadhistroyorgtree of the component Login Interface. The manipulation of the argument parentid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-247358 is the identifier assigned to this vulnerability.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hongjing | e-hr | — | — |
| hrp2000 | e-hr | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/w_selfservice/oauthservlet/%2e./.%2e/general/inform/org/loadhistroyorgtree?isroot=child&parentid=1%27%3BWAITFOR+DELAY+%270%3A0%3A6%27--&kind=2&catalog_id=11&issuperuser=111&manageprive=111&action=111&target=↗
- →Detect exploitation attempts by matching HTTP requests to the path containing the path-traversal sequence '%2e./.%2e' targeting the loadhistroyorgtree endpoint, which bypasses authentication at the Login Interface. ↗
- →Detect time-based blind SQL injection via the 'parentid' parameter containing a WAITFOR DELAY payload (e.g., WAITFOR DELAY '0:0:6') in requests to the vulnerable endpoint. ↗
- →Use time-based detection: a response duration >= 6 seconds to the crafted request indicates successful SQL injection exploitation. ↗
- →Fingerprint vulnerable Hongjing e-HR instances by searching for the page title '人力资源信息管理系统' or body content containing '/hcm/themes/' to identify exposed targets. ↗
- →The attack requires no authentication (PR:N, UI:N) and is exploitable remotely over the network (AV:N), making unauthenticated scanning for this endpoint high priority. ↗
- ·The SQL injection payload uses WAITFOR DELAY (MSSQL-specific syntax), indicating the backend database must be Microsoft SQL Server for this specific exploit to work. ↗
- ·The vulnerable path uses URL-encoded path traversal (%2e./.%2e) to bypass authentication at the oauthservlet endpoint; detection rules must account for both encoded and decoded forms of the traversal sequence. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-56gh-x8h6-v3q6: A vulnerability, which was classified as critical, has been found in Hongjing e-HR 2020
ghsa_unreviewed·2023-12-10
CVE-2023-6655 [HIGH] CWE-89 GHSA-56gh-x8h6-v3q6: A vulnerability, which was classified as critical, has been found in Hongjing e-HR 2020
A vulnerability, which was classified as critical, has been found in Hongjing e-HR 2020. Affected by this issue is some unknown functionality of the file /w_selfservice/oauthservlet/%2e./.%2e/general/inform/org/loadhistroyorgtree of the component Login Interface. The manipulation of the argument parentid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-247358 is the identifier assigned to this vulnerability.
VulnCheck
hrp2000 e-hr Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2023·CVSS 7.3
CVE-2023-6655 [HIGH] hrp2000 e-hr Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
hrp2000 e-hr Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
A vulnerability, which was classified as critical, has been found in Hongjing e-HR 2020. Affected by this issue is some unknown functionality of the file /w_selfservice/oauthservlet/%2e./.%2e/general/inform/org/loadhistroyorgtree of the component Login Interface. The manipulation of the argument parentid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-247358 is the identifier assigned to this vulnerability.
Affected: hrp2000 e-hr
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: http
No detection rules found.
Nuclei
Hongjing e-HR 2020 - SQL Injection
nuclei·CVSS 9.8
CVE-2023-6655 [CRITICAL] Hongjing e-HR 2020 - SQL Injection
Hongjing e-HR 2020 - SQL Injection
A vulnerability, which was classified as critical, has been found in Hongjing e-HR 2020. Affected by this issue is some unknown functionality of the file /w_selfservice/oauthservlet/%2e./.%2e/general/inform/org/loadhistroyorgtree of the component Login Interface. The manipulation of the argument parentid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-247358 is the identifier assigned to this vulnerability.
Template:
id: CVE-2023-6655
info:
name: Hongjing e-HR 2020 - SQL Injection
author: pussycat0x
severity: high
description: |
A vulnerability, which was classified as critical, has been found in Hongjing e-HR 2020. Affected by this issue is some unknown functionality of th
No writeups or analysis indexed.
2023-12-10
Published
Exploited in the wild