Sun Ehrd vulnerabilities

CVE-2021-43360 [HIGH] CWE-502 CVE-2021-43360: Sunnet eHRD e-mail delivery task schedule’s serialization function has inadequate input object valid Sunnet eHRD e-mail delivery task schedule’s serialization function has inadequate input object validation and restriction, which allows a post-authenticated remote attacker with database access privilege, to execute arbitrary code and control the system or interrupt services.

CVE-2021-43359 [HIGH] CWE-732 CVE-2021-43359: Sunnet eHRD has broken access control vulnerability, which allows a remote attacker to access accoun Sunnet eHRD has broken access control vulnerability, which allows a remote attacker to access account management page after being authenticated as a general user, then perform privilege escalation to execute arbitrary code and control the system or interrupt services.

CVE-2021-43358 [HIGH] CWE-22 CVE-2021-43358: Sunnet eHRD has inadequate filtering for special characters in URLs, which allows a remote attacker Sunnet eHRD has inadequate filtering for special characters in URLs, which allows a remote attacker to perform path traversal attacks without authentication, access restricted paths and download system files.

CVE-2020-10508 [HIGH] CVE-2020-10508: Sunnet eHRD, a human training and development management system, improperly stores system files. Att Sunnet eHRD, a human training and development management system, improperly stores system files. Attackers can use a specific URL and capture confidential information.

CVE-2020-10510 [HIGH] CWE-863 CVE-2020-10510: Sunnet eHRD, a human training and development management system, contains a vulnerability of Broken Sunnet eHRD, a human training and development management system, contains a vulnerability of Broken Access Control. After login, attackers can use a specific URL, access unauthorized functionality and data.

CVE-2020-10509 [MEDIUM] CWE-79 CVE-2020-10509: Sunnet eHRD, a human training and development management system, contains vulnerability of Cross-Sit Sunnet eHRD, a human training and development management system, contains vulnerability of Cross-Site Scripting (XSS), attackers can inject arbitrary command into the system and launch XSS attack.