CVE-2022-27055

high

Description

ecjia-daojia 1.38.1-20210202629 is vulnerable to information leakage via content/apps/installer/classes/Helper.php. When the web program is installed, a new environment file is created, and the database information is recorded, including the database record password. NOTE: the vendor disputes this because the environment file is in the data directory, which is not intended for access by website visitors (only the statics directory can be accessed by website visitors)

References

https://github.com/ecjia/ecjia-daojia/issues/20

https://github.com/ecjia/ecjia-daojia/blob/dfb322387e8d3d50719e44d23d793072616ff789/content/apps/installer/classes/Helper.php#L312-L318

https://github.com/ecjia/ecjia-daojia/blob/dfb322387e8d3d50719e44d23d793072616ff789/content/apps/installer/classes/Controllers/IndexController.php#L74-L78

Details

Source: Mitre, NVD

Published: 2022-04-19

Updated: 2026-06-17

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High

EPSS

EPSS: 0.00167