CVE-2024-13061

CRITICAL

Electronic Official Document Management System - Auth Bypass

Title source: llm

Description

The Electronic Official Document Management System from 2100 Technology has an Authentication Bypass vulnerability. Although the product enforces an IP whitelist for the API used to query user tokens, unauthenticated remote attackers can still deceive the server to obtain tokens of arbitrary users, which can then be used to log into the system.

References (4)

[Various Sources] https://www.twcert.org.tw/tw/cp-132-8339-570fa-1.html

[Various Sources] https://www.twcert.org.tw/en/cp-139-8340-d8b16-2.html

[Various Sources] https://www.chtsecurity.com/news/ade9e9af-61d0-4e3c-8aa0-e8524ee2cfbc

[Various Sources] https://www.chtsecurity.com/news/255984da-6630-4e25-ba9b-5ce6933935a6

Scores

CVSS v3 9.8

EPSS 0.0015

EPSS Percentile 34.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-290

Status published

Products (1)

2100 Technology Electronic/Official Document Management System < 5.0.86.9

Published Dec 31, 2024

Tracked Since Feb 18, 2026