Details of VAR-202110-1695

ID

VAR-202110-1695

CVE

CVE-2021-41746

TITLE

Yonyou TurboCRM In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-014380

DESCRIPTION

SQL Injection vulnerability exists in all versions of Yonyou TurboCRM.via the orgcode parameter in changepswd.php. Attackers can use the vulnerabilities to obtain sensitive database information. Yonyou TurboCRM for, SQL There is an injection vulnerability.Information may be obtained

Trust: 1.71

sources: NVD: CVE-2021-41746 // JVNDB: JVNDB-2021-014380 // VULHUB: VHN-402893

AFFECTED PRODUCTS

vendor:

yonyou

model:

turbocrm

scope:

version:

Trust: 1.8

sources: JVNDB: JVNDB-2021-014380 // NVD: CVE-2021-41746

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-41746
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-41746
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202110-2168
value:	HIGH
Trust: 0.6
VULHUB:	VHN-402893
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-41746
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-402893
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-41746
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2021-41746
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-402893 // JVNDB: JVNDB-2021-014380 // CNNVD: CNNVD-202110-2168 // NVD: CVE-2021-41746

PROBLEMTYPE DATA

problemtype:	CWE-89	Trust: 1.1
problemtype:	SQL injection (CWE-89) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-402893 // JVNDB: JVNDB-2021-014380 // NVD: CVE-2021-41746

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202110-2168

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202110-2168

PATCH

title:	Top Page	url:	https://www.yonyou.com/	Trust: 0.8
title:	Yonyou TurboCrm SQL Repair measures for injecting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=168597	Trust: 0.6

sources: JVNDB: JVNDB-2021-014380 // CNNVD: CNNVD-202110-2168

EXTERNAL IDS

db:	NVD	id:	CVE-2021-41746	Trust: 3.3
db:	CNVD	id:	CNVD-2020-21956	Trust: 2.5
db:	JVNDB	id:	JVNDB-2021-014380	Trust: 0.8
db:	CNNVD	id:	CNNVD-202110-2168	Trust: 0.6
db:	VULHUB	id:	VHN-402893	Trust: 0.1

sources: VULHUB: VHN-402893 // JVNDB: JVNDB-2021-014380 // CNNVD: CNNVD-202110-2168 // NVD: CVE-2021-41746

REFERENCES

url:	https://github.com/purple-wl/yonyou-turbocrm-sql-injection/issues/1	Trust: 2.5
url:	https://www.cnvd.org.cn/flaw/show/cnvd-2020-21956	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2021-41746	Trust: 1.4

sources: VULHUB: VHN-402893 // JVNDB: JVNDB-2021-014380 // CNNVD: CNNVD-202110-2168 // NVD: CVE-2021-41746

SOURCES

db:	VULHUB	id:	VHN-402893
db:	JVNDB	id:	JVNDB-2021-014380
db:	CNNVD	id:	CNNVD-202110-2168
db:	NVD	id:	CVE-2021-41746

LAST UPDATE DATE

2024-08-14T14:18:19.482000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-402893	date:	2021-12-06T00:00:00
db:	JVNDB	id:	JVNDB-2021-014380	date:	2022-10-17T08:15:00
db:	CNNVD	id:	CNNVD-202110-2168	date:	2021-11-04T00:00:00
db:	NVD	id:	CVE-2021-41746	date:	2021-12-06T15:07:08.343

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-402893	date:	2021-10-29T00:00:00
db:	JVNDB	id:	JVNDB-2021-014380	date:	2022-10-17T00:00:00
db:	CNNVD	id:	CNNVD-202110-2168	date:	2021-10-29T00:00:00
db:	NVD	id:	CVE-2021-41746	date:	2021-10-29T18:15:08.270