CVE-2019-11232

Name of the Vulnerable Software and Affected Versions EXCELLENT INFOTEK BiYan versions 1.57 through 2.8

Description The issue allows an attacker to leak user information, specifically passwords, without authentication. This is achieved by sending an EMP NO element to the "kws login/asp/query user.asp" API endpoint and then reading the PWD element.

Recommendations For versions 1.57 through 2.8, consider restricting access to the "kws login/asp/query user.asp" API endpoint to prevent unauthorized password leaks. As a temporary workaround, avoid using the EMP NO element in this endpoint until a fix is available.