CVE-2019-16133

EUVD-2019-6970
An issue was discovered in eteams OA v4.0.34. Because the session is not strictly checked, the account names and passwords of all employees in the company can be obtained by an ordinary account. Specifically, the attacker sends a jsessionid value for URIs under app/profile/summary/.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 49%
Affected Products (NVD)
VendorProductVersion
weavereteams_oa
4.0.34
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.iwantacve.cn/index.php/archives/271/
http://www.iwantacve.cn/index.php/archives/271/