CVE-2021-41301

Published: Sep 30, 2021Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: twcert@cert.org.tw (Secondary)

Description

ECOA BAS controller is vulnerable to configuration disclosure when direct object reference is made to the specific files using an HTTP GET request. This will enable the unauthenticated attacker to remotely disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.

Affected (3)

Products: Ecoa: Ecs Router Controller Ecs Firmware, Riskbuster Firmware, Riskterminator

3 products

Ecs Router Controller Ecs Firmware

Riskbuster Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Ecoa Ecs Router Controller Ecs Firmware	All versions

Running on/with	Platform Versions
Ecoa Ecs Router Controller Ecs	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Ecoa Riskbuster Firmware	All versions

Running on/with	Platform Versions
Ecoa Riskbuster	All versions

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Ecoa Riskterminator	All versions

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (2)

https://www.twcert.org.tw/tw/cp-132-5137-730a6-1.html

Source: twcert@cert.org.tw

Third Party Advisory

https://www.twcert.org.tw/tw/cp-132-5137-730a6-1.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.