CVE-2022-27055

HIGH

ecjia-daojia 1.38.1-20210202629 - Information Leakage via Installer Helper

Title source: llm

Description

ecjia-daojia 1.38.1-20210202629 is vulnerable to information leakage via content/apps/installer/classes/Helper.php. When the web program is installed, a new environment file is created, and the database information is recorded, including the database record password. NOTE: the vendor disputes this because the environment file is in the data directory, which is not intended for access by website visitors (only the statics directory can be accessed by website visitors)

References (3)

Core 3

Core References

Third Party Advisory x_refsource_misc

https://github.com/ecjia/ecjia-daojia/issues/20

Exploit, Third Party Advisory x_refsource_misc

https://github.com/ecjia/ecjia-daojia/blob/dfb322387e8d3d50719e44d23d793072616ff789/content/apps/installer/classes/Controllers/IndexController.php#L74-L78

View Exploit ZIP pw:eip

Exploit, Third Party Advisory x_refsource_misc

https://github.com/ecjia/ecjia-daojia/blob/dfb322387e8d3d50719e44d23d793072616ff789/content/apps/installer/classes/Helper.php#L312-L318

View Exploit ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0153

EPSS Percentile 71.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-863

Status published

Products (1)

ecjia/daojia 1.38.1-20210202629

Published Apr 19, 2022

Tracked Since Feb 18, 2026