CVE-2023-7334
CRITICAL WAF: Medium
CVSS 9.8
Published: 2026-01-15
CWE-502
Changjetong T+ versions up to and including 16.x contain a .NET deserialization vulnerability in an AjaxPro endpoint that can lead to remote code execution. A remote attacker can send a crafted request to /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore with a malicious JSON body that leverages deserialization of attacker-controlled .NET types to invoke arbitrary methods such as System.Diagnostics.Process.Start. This can result in execution of arbitrary commands in the context of the T+ application service account. Exploitation evidence was observed by the Shadowserver Foundation as early as 2023-08-19 (UTC).
WAF Coverage Analysis
Insecure Deserialization
Medium WAF Coverage
OWASP: A08:2021 Software and Data Integrity Failures
944xxx - Java Attack
Affected Software
| Vendor | Product | Version |
|---|---|---|
| chanjetvip | t\+ | up to 16.000.000.0283 |
References
- blog.csdn.net (Exploit, Third Party Advisory)
- blog.csdn.net (Exploit, Third Party Advisory)
- github.com (Product)
- www.chanjetvip.com (Release Notes)
- www.freebuf.com (Exploit, Third Party Advisory)
- www.vulncheck.com (Third Party Advisory)