CVE-2021-41292

Published: Sep 30, 2021Modified: Nov 21, 2024

9.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitability: 3.9 / Impact: 5.2

Source: NVD

Description

ECOA BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can remotely bypass authentication and disclose sensitive information and circumvent physical access controls in smart homes and buildings and manipulate HVAC.

Affected (3)

Products: Ecoa: Ecs Router Controller Ecs Firmware, Riskbuster Firmware, Riskterminator

3 products

Ecs Router Controller Ecs Firmware

Riskbuster Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Ecoa Ecs Router Controller Ecs Firmware	All versions

Running on/with	Platform Versions
Ecoa Ecs Router Controller Ecs	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Ecoa Riskbuster Firmware	All versions

Running on/with	Platform Versions
Ecoa Riskbuster	All versions

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Ecoa Riskterminator	All versions

Related CWEs

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Authentication Bypass Using an Alternate Path or Channel

A product requires authentication, but the product has an alternate path or channel that does not require authentication.

References (2)

https://www.twcert.org.tw/tw/cp-132-5128-b075a-1.html

Source: twcert@cert.org.tw

Third Party Advisory

https://www.twcert.org.tw/tw/cp-132-5128-b075a-1.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.