Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

MNDT-2022-0035

Description

aEnrich a+HRD 5.x Learning Management Key Performance Indicator System is a web based Learning Management System (LMS). A local file inclusion (LFI) vulnerability occurs due to missing input validation in v5.x.

Impact

High: An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server.

Exploitability

High: The affected component/functionality is accessible without any authentication.

CVE Reference

CVE-2022-28741

Technical Details

The Local File Inclusion vulnerability can be exploited by accessing a specific URL within the application and supplying relative paths to the input parameter.

Resolution

This issue is fixed in a+HRD 5.4.1125V112, 5.5.1098V156, 5.6.1067V110, and all v7.x releases.

Discovery Credits

  • Sameer S. Mohite, Mandiant

Disclosure Timeline

  • 12 Apr 2022 – Vendor Contacted
  • 22 Apr 2022 – Issue confirmed
  • 16 Aug 2022 – Vendor public security advisory released

References