CVE-2021-37381

Name of the Vulnerable Software and Affected Versions Southsoft GMIS version 5.0

Description The issue allows attackers to access other users' private information, such as photos, through CSRF attacks. For example, any student's photo information can be accessed through the "/gmis/(S([1]))/student/grgl/PotoImageShow/?bh=[2]" endpoint. The code in [1] is a random string generated according to the user's login-related information, which can protect the user's identity but cannot effectively prevent unauthorized access. The code in [2] is the student number of any student. The attacker can carry out a CSRF attack on the system by modifying [2] without modifying [1].

Recommendations As a temporary workaround, consider restricting access to the /gmis/(S([1]))/student/grgl/PotoImageShow/?bh=[2] endpoint until a patch is available. Avoid using the bh parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.