免费扫描
CRITICALCVE-2021-22856CVSS 9.8

ChanGate EnterPrise Co., Ltd property management system - SQL Injection

翻译中…

平台

other

组件

property-management-system

AI Confidence: highNVDEPSS 0.3%已审阅: 2026年5月
在NVD查看
保存
正在翻译为您的语言…

CVE-2021-22856 identifies a critical SQL Injection vulnerability within the CGE property management system. This flaw allows remote attackers to inject malicious SQL commands, potentially leading to unauthorized data access and manipulation. The vulnerability affects versions 0 through 1.00 of the system, and a patch is required to remediate the issue.

影响与攻击场景翻译中…

The impact of this SQL Injection vulnerability is severe. Successful exploitation allows an attacker to bypass authentication and authorization mechanisms, directly querying the database. This could lead to the exfiltration of sensitive data such as tenant information, financial records, lease agreements, and potentially even administrative credentials. Lateral movement within the network is possible if the database contains information about other systems or users. The blast radius extends to any data stored within the property management system's database, potentially impacting both the property management company and its tenants.

利用背景翻译中…

This vulnerability was publicly disclosed on February 17, 2021. While no active exploitation campaigns have been definitively linked to CVE-2021-22856, the CRITICAL CVSS score indicates a high potential for exploitation. The ease of exploitation, coupled with the sensitivity of the data potentially at risk, makes this a significant concern. No KEV listing is currently available.

哪些人处于风险中翻译中…

Property management companies, real estate agencies, and any organization utilizing the CGE property management system are at risk. Specifically, deployments with weak security configurations or those lacking robust input validation practices are particularly vulnerable. Shared hosting environments utilizing this system also present an increased risk due to potential cross-tenant vulnerabilities.

攻击时间线

  1. Disclosure

    disclosure

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露

EPSS

0.31% (54% 百分位)

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8CRITICALAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredNone攻击所需的认证级别User InteractionNone是否需要受害者采取行动ScopeUnchanged超出受影响组件的影响范围ConfidentialityHigh敏感数据泄露风险IntegrityHigh数据未授权篡改风险AvailabilityHigh服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
无 — 无需认证,无需凭证即可利用。
User Interaction
无 — 攻击自动且无声,受害者无需任何操作。
Scope
未改变 — 影响仅限于脆弱组件本身。
Confidentiality
高 — 完全丧失机密性,攻击者可读取所有数据。
Integrity
高 — 攻击者可写入、修改或删除任何数据。
Availability
高 — 完全崩溃或资源耗尽,完全拒绝服务。

受影响的软件

组件property-management-system
供应商ChanGate EnterPrise Co., Ltd
影响范围修复版本
0 – 1.00

弱点分类 (CWE)

CWE-89

时间线

  1. 已保留
  2. 发布日期
  3. 修改日期
  4. EPSS 更新日期
未修复 — 披露已1922天

缓解措施和替代方案翻译中…

The primary mitigation is to upgrade to a patched version of the CGE property management system as soon as it becomes available. In the absence of a patch, implement temporary mitigations. Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block SQL Injection attempts targeting the vulnerable Cookie parameter. Implement strict input validation on all user-supplied data, particularly within the Cookie parameter, to sanitize potentially malicious characters. Regularly review database access logs for suspicious activity. Consider implementing database activity monitoring (DAM) solutions to detect and alert on unusual queries.

修复方法翻译中…

Actualizar el sistema de gestión de propiedades a una versión posterior a la 1.00 para corregir la vulnerabilidad de inyección SQL. Esto evitará que atacantes remotos ejecuten comandos SQL no autorizados y accedan a datos sensibles en la base de datos. Consulte con el proveedor para obtener la versión actualizada y las instrucciones de instalación.

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2021-22856 — SQL Injection in CGE Property Management System?

CVE-2021-22856 is a critical SQL Injection vulnerability affecting CGE property management systems versions 0–1.00, allowing attackers to inject SQL commands and potentially extract sensitive data.

Am I affected by CVE-2021-22856 in CGE Property Management System?

If you are using CGE property management system versions 0 through 1.00, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.

How do I fix CVE-2021-22856 in CGE Property Management System?

The recommended fix is to upgrade to a patched version of the CGE property management system. Until a patch is available, implement WAF rules and input validation.

Is CVE-2021-22856 being actively exploited?

While no confirmed active exploitation campaigns have been publicly reported, the CRITICAL severity suggests a high potential for exploitation.

Where can I find the official CGE advisory for CVE-2021-22856?

Consult the CGE vendor's website or security advisory page for the latest information and official advisory regarding CVE-2021-22856.

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE