CVE-2019-11232
CRITICALBiYan 1.57-2.8 - Unauthenticated User Information Leak via EMP_NO Parameter
Title source: llmDescription
EXCELLENT INFOTEK BiYan v1.57 ~ v2.8 allows an attacker to leak user information (Password) without being authenticated, by sending an EMP_NO element to the kws_login/asp/query_user.asp URI, and then reading the PWD element.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://gist.github.com/keniver/dd27ba44d0aef4318551e647d927242f
Scores
CVSS v3
9.8
EPSS
0.0153
EPSS Percentile
71.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (1)
eic/biyan
1.57 - 2.8
Published
Jun 19, 2019
Tracked Since
Feb 18, 2026