CVE-2019-11233

Name of the Vulnerable Software and Affected Versions EXCELLENT INFOTEK BiYan versions 1.57 through 2.8

Description The issue allows an attacker to leak user information without authentication by sending a LOGIN ID element to the "auth/main/asp/check user login info.aspx" API endpoint and then reading the response. This can be demonstrated by accessing the KW EMAIL or KW TEL field.

Recommendations For versions 1.57 through 2.8, as a temporary workaround, consider restricting access to the "auth/main/asp/check user login info.aspx" API endpoint to minimize the risk of exploitation. Avoid using the LOGIN ID element in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.