yeqifu carRental Druid Component Hard-Coded Credentials Vulnerability

A vulnerability exists in yeqifu carRental versions up to 3fabb7eae93d209426638863980301d6f99866b3, specifically within the Druid component. The issue arises from the file '/carRental_war/druid/login.html', where hard-coded credentials can be accessed. This vulnerability allows for remote exploitation without the need for authentication, as Druid does not require login permissions. The issue has been publicly disclosed and is actively exploitable.

Impact

Exploitation of this vulnerability allows for unauthorized access using default credentials, which could lead to the exposure of sensitive operational information.

Reproduction

To reproduce this vulnerability, access the Druid login page at '/carRental_war/druid/login.html'. The page will automatically use the hard-coded credentials 'root' for the username and '123456' for the password, bypassing any authentication requirements.