CVE-2021-42337
MEDIUMAIFU Cashier Accounting Management System - Improper Authorization via Salary Query URL Parameter
Title source: llmDescription
The permission control of AIFU cashier management salary query function can be bypassed, thus after obtaining general user’s permission, the remote attacker can access account information except passwords by crafting URL parameters.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_misc
https://www.twcert.org.tw/tw/cp-132-5296-cbf80-1.html
Scores
CVSS v3
4.3
EPSS
0.0087
EPSS Percentile
54.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-285
Status
published
Products (1)
aifu/cashier_accounting_management_system
Published
Nov 16, 2021
Tracked Since
Feb 18, 2026