MNDT-2022-0035
Description
aEnrich a+HRD 5.x Learning Management Key Performance Indicator System is a web based Learning Management System (LMS). A local file inclusion (LFI) vulnerability occurs due to missing input validation in v5.x.
Impact
High: An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server.
Exploitability
High: The affected component/functionality is accessible without any authentication.
CVE Reference
CVE-2022-28741
Technical Details
The Local File Inclusion vulnerability can be exploited by accessing a specific URL within the application and supplying relative paths to the input parameter.
Resolution
This issue is fixed in a+HRD 5.4.1125V112, 5.5.1098V156, 5.6.1067V110, and all v7.x releases.
Discovery Credits
- Sameer S. Mohite, Mandiant
Disclosure Timeline
- 12 Apr 2022 – Vendor Contacted
- 22 Apr 2022 – Issue confirmed
- 16 Aug 2022 – Vendor public security advisory released