CVE-2023-7334

Name of the Vulnerable Software and Affected Versions Changjetong T+ versions up to and including 16.x

Description Changjetong T+ versions up to and including 16.x contain a .NET deserialization issue in an AjaxPro endpoint that can lead to remote code execution. A remote attacker can send a crafted request to the /tplus/ajaxpro/Ufida.T.CodeBehind. PriorityLevel,App Code.ashx?method=GetStoreWarehouseByStore API endpoint with a malicious JSON body. This leverages deserialization of attacker-controlled .NET types to invoke arbitrary methods, such as System.Diagnostics.Process.Start, potentially resulting in the execution of arbitrary commands in the context of the T+ application service account. The Shadowserver Foundation observed exploitation evidence on 2023-08-19 (UTC).

Recommendations Versions up to and including 16.x should be updated to a newer, secure version. As a temporary workaround, consider restricting access to the /tplus/ajaxpro/Ufida.T.CodeBehind. PriorityLevel,App Code.ashx?method=GetStoreWarehouseByStore API endpoint.