Login Sign Up

CVE-2019-9884

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows unauthenticated attackers to bypass password validation on eClass platforms by using a GET request to the /admin page. It affects eClass platforms running versions below ip.2.5.10.2.1, potentially exposing administrative interfaces to unauthorized access.

💻 Affected Systems

Products:
  • eClass platform
Versions: Versions < ip.2.5.10.2.1
Operating Systems: Any OS running eClass
Default Config Vulnerable: ⚠️ Yes
Notes: Affects default installations where the /admin endpoint is accessible.

📦 What is this software?

Eclass Ip by Eclass

View all CVEs affecting Eclass Ip →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the eClass platform with administrative access, allowing data theft, user impersonation, and system manipulation.

🟠

Likely Case

Unauthorized access to administrative functions, potentially leading to data exposure, user account compromise, and platform configuration changes.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to administrative interfaces.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP GET request to /admin endpoint bypasses authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ip.2.5.10.2.1 or later

Vendor Advisory: https://tvn.twcert.org.tw/taiwanvn/TVN-201904004

Restart Required: Yes

Instructions:

1. Backup current installation. 2. Download and install version ip.2.5.10.2.1 or later from official eClass sources. 3. Restart the eClass service. 4. Verify the fix by testing the /admin endpoint.

🔧 Temporary Workarounds

Block /admin endpoint access

all

Use web server configuration to restrict access to /admin path

# Apache: <Location /admin> Require all denied </Location>
# Nginx: location /admin { deny all; }

Implement IP whitelisting

all

Restrict access to administrative interface to trusted IP addresses only

# Apache: <Location /admin> Require ip 192.168.1.0/24 </Location>
# Nginx: location /admin { allow 192.168.1.0/24; deny all; }

🧯 If You Can't Patch

  • Implement network segmentation to isolate eClass platform from untrusted networks
  • Deploy a web application firewall (WAF) with rules to block unauthorized /admin access

🔍 How to Verify

Check if Vulnerable:

Send HTTP GET request to http://[eclass-server]/admin and check if it returns administrative interface without authentication

Check Version:

Check eClass version in web interface or configuration files

Verify Fix Applied:

After patching, attempt the same GET request to /admin and verify it requires proper authentication

📡 Detection & Monitoring

Log Indicators:

  • Unauthenticated GET requests to /admin endpoint
  • Multiple failed authentication attempts followed by successful /admin access

Network Indicators:

  • HTTP GET requests to /admin path without authentication headers
  • Unusual administrative activity from non-admin IP addresses

SIEM Query:

source="web_server" AND (url="/admin" AND NOT (user!="" OR auth_success="true"))

📊 Metadata

CVE ID: CVE-2019-9884
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-284
Published: July 25, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-9884, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)