Critical Vulnerabilities in a+HRD from aEnrich Technology: Insecure Deserialization, SQL Injection, SSRF and XSS
The a+HRD application from aEnrich Technology has recently been identified with multiple vulnerabilities that pose significant security risks. These vulnerabilities include Insecure Deserialization, SQL Injection, Server-side Request Forgery (SSRF), and Reflected Cross-site Scripting (XSS). Each vulnerability allows attackers to exploit the system in different ways, leading to potential unauthorized access and data manipulation.
An attacker gains access to the application and modifies serialized data sent to the server. By crafting malicious payloads, they can execute arbitrary commands, leading to full system compromise.
An attacker sends specially crafted requests containing SQL injection payloads. This allows them to bypass authentication mechanisms and extract sensitive user data from the database or modify existing records.
An attacker exploits this vulnerability by sending requests that allow them to interact with internal services that are not exposed to the public internet. This could lead to further attacks on internal systems or data leakage.
An attacker sends an email containing a link that exploits this XSS vulnerability. When a user clicks the link, it executes malicious JavaScript in their browser, allowing the attacker to steal cookies or redirect them to a phishing site.
CVE-2025-0586: Insecure Deserialization
- Description: This vulnerability allows remote attackers with database modification privileges to execute arbitrary code through insecure deserialization of untrusted data.
- Impact: Attackers can manipulate serialized objects to execute malicious code on the server, potentially compromising the entire system.
- Severity: Rated as High with a CVSS score of 7.2.
- Published Date: January 19, 2025.
An attacker gains access to the application and modifies serialized data sent to the server. By crafting malicious payloads, they can execute arbitrary commands, leading to full system compromise.
CVE-2025-0585: SQL Injection
- Description: This critical vulnerability allows unauthenticated remote attackers to inject arbitrary SQL commands into the database, enabling them to read, modify, and delete data.
- Impact: Successful exploitation can lead to unauthorized access to sensitive information and complete control over the database.
- Severity: Rated as Critical with a CVSS score of 9.8.
- Published Date: January 19, 2025.
An attacker sends specially crafted requests containing SQL injection payloads. This allows them to bypass authentication mechanisms and extract sensitive user data from the database or modify existing records.
CVE-2025-0584: Server-side Request Forgery (SSRF)
- Description: This vulnerability enables unauthenticated remote attackers to probe internal networks by sending crafted requests from the server.
- Impact: Attackers can gain insights into internal services or potentially exploit other vulnerabilities within the internal network.
- Severity: Rated as Medium with a CVSS score of 5.3.
- Published Date: January 19, 2025.
An attacker exploits this vulnerability by sending requests that allow them to interact with internal services that are not exposed to the public internet. This could lead to further attacks on internal systems or data leakage.
CVE-2025-0583: Reflected Cross-site Scripting (XSS)
- Description: This vulnerability allows unauthenticated remote attackers to execute arbitrary JavaScript code in users' browsers through phishing attacks.
- Impact: Attackers can craft malicious links that, when clicked by users, execute JavaScript in their browsers, potentially leading to data theft or session hijacking.
- Severity: Rated as Medium with a CVSS score of 6.1.
- Published Date: January 19, 2025.
An attacker sends an email containing a link that exploits this XSS vulnerability. When a user clicks the link, it executes malicious JavaScript in their browser, allowing the attacker to steal cookies or redirect them to a phishing site.