Newgen Correspondence Management System (corms) eGov 12.0 - IDOR

vendor:

Correspondence Management System (corms) eGov

by:

ALI AL SINAN

7.5

CVSS

HIGH

IDOR

200

CWE

Product Name: Correspondence Management System (corms) eGov

Affected Version From: eGov 12.0

Affected Version To: eGov 12.0

Patch Exists: YES

Related CWE: CVE-2020-35737

CPE: 2.3:a:newgen_soft:correspondence_management_system_corms_egov:12.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: JBoss EAP 7

2020

Newgen Correspondence Management System (corms) eGov 12.0 – IDOR

user can manipulate parameter “UserIndex” in personal setting page. this parameter can allow un-authorized access to view or change other user's personal information.

Mitigation:

The vendor has released a patch to address this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: Newgen Correspondence Management System (corms) eGov 12.0 - IDOR
# Date: 29 Dec 2020
# Exploit Author: ALI AL SINAN
# Vendor Homepage: https://newgensoft.com
# Software Link: https://newgensoft.com/solutions/industries/government/e-gov-office/
# Version: eGov 12.0
# Tested on: JBoss EAP 7
# CVE : CVE-2020-35737
-----------------------------------------------------

Description:

Correspondence management is the process of handling official incoming and outgoing correspondence in government agencies. The word “correspondence” in this context refers to physical letters, direct e-delivery, emails and faxes along with all their attachments that are received by the government agencies.

-----------------------------------------------------

Vulnerability:

Affected URL:
http://server/corms/dist/#/web/home/workdesk/inbox

Vulnerability Description:
user can manipulate parameter “UserIndex” in personal setting page. this parameter can allow un-authorized access to view or change other user's personal information.