Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Changjetong T+ <= 16.x GetStoreWarehouseByStore Deserialization RCE
Vulnerability Description
Changjetong T+ versions up to and including 16.x contain a .NET deserialization vulnerability in an AjaxPro endpoint that can lead to remote code execution. A remote attacker can send a crafted request to /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore with a malicious JSON body that leverages deserialization of attacker-controlled .NET types to invoke arbitrary methods such as System.Diagnostics.Process.Start. This can result in execution of arbitrary commands in the context of the T+ application service account. Exploitation evidence was observed by the Shadowserver Foundation as early as 2023-08-19 (UTC).
CVSS Information
N/A
Vulnerability Type
可信数据的反序列化
Vulnerability Title
Chanjet TPlus 代码问题漏洞
Vulnerability Description
Chanjet TPlus是中国畅捷通(Chanjet)公司的一个企业云平台。 Chanjet TPlus 16.x及之前版本存在代码问题漏洞,该漏洞源于AjaxPro端点存在.NET反序列化问题,可能导致远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A