Vulnerabilites related to ecoa - riskbuster_firmware
cve-2021-41301
Vulnerability from cvelistv5
Published
2021-09-30 10:41
Modified
2024-09-16 16:53
Severity ?
EPSS score ?
Summary
ECOA BAS controller is vulnerable to configuration disclosure when direct object reference is made to the specific files using an HTTP GET request. This will enable the unauthenticated attacker to remotely disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.twcert.org.tw/tw/cp-132-5137-730a6-1.html | x_refsource_MISC |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T03:08:32.015Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.twcert.org.tw/tw/cp-132-5137-730a6-1.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "ECS Router Controller ECS (FLASH)", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster Terminator E6L45", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster System RB 3.0.0", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster System TRANE 1.0", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "Graphic Control Software", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "SmartHome II E9246", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskTerminator", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, ], datePublic: "2021-09-30T00:00:00", descriptions: [ { lang: "en", value: "ECOA BAS controller is vulnerable to configuration disclosure when direct object reference is made to the specific files using an HTTP GET request. This will enable the unauthenticated attacker to remotely disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-200", description: "CWE-200 Information Exposure", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-09-30T10:41:06", orgId: "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", shortName: "twcert", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.twcert.org.tw/tw/cp-132-5137-730a6-1.html", }, ], solutions: [ { lang: "en", value: "Contact tech support from ECOA.", }, ], source: { advisory: "TVN-202109017", discovery: "EXTERNAL", }, title: "ECOA BAS controller - Exposure of Sensitive Information to an Unauthorized Actor", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { AKA: "TWCERT/CC", ASSIGNER: "cve@cert.org.tw", DATE_PUBLIC: "2021-09-30T10:13:00.000Z", ID: "CVE-2021-41301", STATE: "PUBLIC", TITLE: "ECOA BAS controller - Exposure of Sensitive Information to an Unauthorized Actor", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "ECS Router Controller ECS (FLASH)", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster Terminator E6L45", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster System RB 3.0.0", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster System TRANE 1.0", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "Graphic Control Software", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "SmartHome II E9246", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskTerminator", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, ], }, vendor_name: "ECOA", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "ECOA BAS controller is vulnerable to configuration disclosure when direct object reference is made to the specific files using an HTTP GET request. This will enable the unauthenticated attacker to remotely disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-200 Information Exposure", }, ], }, ], }, references: { reference_data: [ { name: "https://www.twcert.org.tw/tw/cp-132-5137-730a6-1.html", refsource: "MISC", url: "https://www.twcert.org.tw/tw/cp-132-5137-730a6-1.html", }, ], }, solution: [ { lang: "en", value: "Contact tech support from ECOA.", }, ], source: { advisory: "TVN-202109017", discovery: "EXTERNAL", }, }, }, }, cveMetadata: { assignerOrgId: "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", assignerShortName: "twcert", cveId: "CVE-2021-41301", datePublished: "2021-09-30T10:41:06.633278Z", dateReserved: "2021-09-15T00:00:00", dateUpdated: "2024-09-16T16:53:19.967Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-41297
Vulnerability from cvelistv5
Published
2021-09-30 10:41
Modified
2024-09-16 20:22
Severity ?
EPSS score ?
Summary
ECOA BAS controller is vulnerable to weak access control mechanism allowing authenticated user to remotely escalate privileges by disclosing credentials of administrative accounts in plain-text.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.twcert.org.tw/tw/cp-132-5133-f3c4b-1.html | x_refsource_MISC |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T03:08:31.996Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.twcert.org.tw/tw/cp-132-5133-f3c4b-1.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "ECS Router Controller ECS (FLASH)", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster Terminator E6L45", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster System RB 3.0.0", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster System TRANE 1.0", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "Graphic Control Software", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "SmartHome II E9246", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskTerminator", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, ], datePublic: "2021-09-30T00:00:00", descriptions: [ { lang: "en", value: "ECOA BAS controller is vulnerable to weak access control mechanism allowing authenticated user to remotely escalate privileges by disclosing credentials of administrative accounts in plain-text.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-522", description: "CWE-522 Insufficiently Protected Credentials", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-09-30T10:41:00", orgId: "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", shortName: "twcert", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.twcert.org.tw/tw/cp-132-5133-f3c4b-1.html", }, ], solutions: [ { lang: "en", value: "Contact tech support from ECOA.", }, ], source: { advisory: "TVN-202109013", discovery: "EXTERNAL", }, title: "ECOA BAS controller - Insufficiently Protected Credentials-1", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { AKA: "TWCERT/CC", ASSIGNER: "cve@cert.org.tw", DATE_PUBLIC: "2021-09-30T10:13:00.000Z", ID: "CVE-2021-41297", STATE: "PUBLIC", TITLE: "ECOA BAS controller - Insufficiently Protected Credentials-1", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "ECS Router Controller ECS (FLASH)", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster Terminator E6L45", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster System RB 3.0.0", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster System TRANE 1.0", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "Graphic Control Software", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "SmartHome II E9246", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskTerminator", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, ], }, vendor_name: "ECOA", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "ECOA BAS controller is vulnerable to weak access control mechanism allowing authenticated user to remotely escalate privileges by disclosing credentials of administrative accounts in plain-text.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-522 Insufficiently Protected Credentials", }, ], }, ], }, references: { reference_data: [ { name: "https://www.twcert.org.tw/tw/cp-132-5133-f3c4b-1.html", refsource: "MISC", url: "https://www.twcert.org.tw/tw/cp-132-5133-f3c4b-1.html", }, ], }, solution: [ { lang: "en", value: "Contact tech support from ECOA.", }, ], source: { advisory: "TVN-202109013", discovery: "EXTERNAL", }, }, }, }, cveMetadata: { assignerOrgId: "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", assignerShortName: "twcert", cveId: "CVE-2021-41297", datePublished: "2021-09-30T10:41:00.486934Z", dateReserved: "2021-09-15T00:00:00", dateUpdated: "2024-09-16T20:22:39.752Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-41290
Vulnerability from cvelistv5
Published
2021-09-30 10:40
Modified
2024-09-16 22:25
Severity ?
EPSS score ?
Summary
ECOA BAS controller suffers from an arbitrary file write and path traversal vulnerability. Using the POST parameters, unauthenticated attackers can remotely set arbitrary values for location and content type and gain the possibility to execute arbitrary code on the affected device.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.twcert.org.tw/tw/cp-132-5126-ca315-1.html | x_refsource_MISC |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T03:08:31.999Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.twcert.org.tw/tw/cp-132-5126-ca315-1.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "ECS Router Controller ECS (FLASH)", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster Terminator E6L45", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster System RB 3.0.0", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster System TRANE 1.0", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "Graphic Control Software", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "SmartHome II E9246", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskTerminator", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, ], datePublic: "2021-09-30T00:00:00", descriptions: [ { lang: "en", value: "ECOA BAS controller suffers from an arbitrary file write and path traversal vulnerability. Using the POST parameters, unauthenticated attackers can remotely set arbitrary values for location and content type and gain the possibility to execute arbitrary code on the affected device.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-434", description: "CWE-434 Unrestricted Upload of File with Dangerous Type", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-09-30T10:40:49", orgId: "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", shortName: "twcert", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.twcert.org.tw/tw/cp-132-5126-ca315-1.html", }, ], solutions: [ { lang: "en", value: "Contact tech support from ECOA.", }, ], source: { advisory: "TVN-202109006", discovery: "EXTERNAL", }, title: "ECOA BAS controller - Path Traversal-1", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { AKA: "TWCERT/CC", ASSIGNER: "cve@cert.org.tw", DATE_PUBLIC: "2021-09-30T10:13:00.000Z", ID: "CVE-2021-41290", STATE: "PUBLIC", TITLE: "ECOA BAS controller - Path Traversal-1", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "ECS Router Controller ECS (FLASH)", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster Terminator E6L45", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster System RB 3.0.0", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster System TRANE 1.0", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "Graphic Control Software", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "SmartHome II E9246", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskTerminator", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, ], }, vendor_name: "ECOA", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "ECOA BAS controller suffers from an arbitrary file write and path traversal vulnerability. Using the POST parameters, unauthenticated attackers can remotely set arbitrary values for location and content type and gain the possibility to execute arbitrary code on the affected device.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-434 Unrestricted Upload of File with Dangerous Type", }, ], }, ], }, references: { reference_data: [ { name: "https://www.twcert.org.tw/tw/cp-132-5126-ca315-1.html", refsource: "MISC", url: "https://www.twcert.org.tw/tw/cp-132-5126-ca315-1.html", }, ], }, solution: [ { lang: "en", value: "Contact tech support from ECOA.", }, ], source: { advisory: "TVN-202109006", discovery: "EXTERNAL", }, }, }, }, cveMetadata: { assignerOrgId: "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", assignerShortName: "twcert", cveId: "CVE-2021-41290", datePublished: "2021-09-30T10:40:49.516786Z", dateReserved: "2021-09-15T00:00:00", dateUpdated: "2024-09-16T22:25:25.496Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-41295
Vulnerability from cvelistv5
Published
2021-09-30 10:40
Modified
2024-09-17 00:52
Severity ?
EPSS score ?
Summary
ECOA BAS controller has a Cross-Site Request Forgery vulnerability, thus authenticated attacker can remotely place a forged request at a malicious web page and execute CRUD commands (GET, POST, PUT, DELETE) to perform arbitrary operations in the system.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.twcert.org.tw/tw/cp-132-5131-c653b-1.html | x_refsource_MISC |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T03:08:31.930Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.twcert.org.tw/tw/cp-132-5131-c653b-1.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "ECS Router Controller ECS (FLASH)", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster Terminator E6L45", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster System RB 3.0.0", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster System TRANE 1.0", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "Graphic Control Software", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "SmartHome II E9246", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskTerminator", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, ], datePublic: "2021-09-30T00:00:00", descriptions: [ { lang: "en", value: "ECOA BAS controller has a Cross-Site Request Forgery vulnerability, thus authenticated attacker can remotely place a forged request at a malicious web page and execute CRUD commands (GET, POST, PUT, DELETE) to perform arbitrary operations in the system.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-352", description: "CWE-352 Cross-Site Request Forgery (CSRF)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-09-30T10:40:57", orgId: "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", shortName: "twcert", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.twcert.org.tw/tw/cp-132-5131-c653b-1.html", }, ], solutions: [ { lang: "en", value: "Contact tech support from ECOA.", }, ], source: { advisory: "TVN-202109011", discovery: "EXTERNAL", }, title: "ECOA BAS controller - Cross-Site Request Forgery (CSRF)", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { AKA: "TWCERT/CC", ASSIGNER: "cve@cert.org.tw", DATE_PUBLIC: "2021-09-30T10:13:00.000Z", ID: "CVE-2021-41295", STATE: "PUBLIC", TITLE: "ECOA BAS controller - Cross-Site Request Forgery (CSRF)", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "ECS Router Controller ECS (FLASH)", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster Terminator E6L45", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster System RB 3.0.0", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster System TRANE 1.0", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "Graphic Control Software", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "SmartHome II E9246", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskTerminator", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, ], }, vendor_name: "ECOA", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "ECOA BAS controller has a Cross-Site Request Forgery vulnerability, thus authenticated attacker can remotely place a forged request at a malicious web page and execute CRUD commands (GET, POST, PUT, DELETE) to perform arbitrary operations in the system.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-352 Cross-Site Request Forgery (CSRF)", }, ], }, ], }, references: { reference_data: [ { name: "https://www.twcert.org.tw/tw/cp-132-5131-c653b-1.html", refsource: "MISC", url: "https://www.twcert.org.tw/tw/cp-132-5131-c653b-1.html", }, ], }, solution: [ { lang: "en", value: "Contact tech support from ECOA.", }, ], source: { advisory: "TVN-202109011", discovery: "EXTERNAL", }, }, }, }, cveMetadata: { assignerOrgId: "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", assignerShortName: "twcert", cveId: "CVE-2021-41295", datePublished: "2021-09-30T10:40:57.384362Z", dateReserved: "2021-09-15T00:00:00", dateUpdated: "2024-09-17T00:52:20.343Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-41294
Vulnerability from cvelistv5
Published
2021-09-30 10:40
Modified
2024-09-17 03:53
Severity ?
EPSS score ?
Summary
ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files deletion. Using the specific GET parameter, unauthenticated attackers can remotely delete arbitrary files on the affected device and cause denial of service scenario.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.twcert.org.tw/tw/cp-132-5130-7de92-1.html | x_refsource_MISC |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T03:08:31.992Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.twcert.org.tw/tw/cp-132-5130-7de92-1.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "ECS Router Controller ECS (FLASH)", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster Terminator E6L45", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster System RB 3.0.0", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster System TRANE 1.0", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "Graphic Control Software", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "SmartHome II E9246", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskTerminator", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, ], datePublic: "2021-09-30T00:00:00", descriptions: [ { lang: "en", value: "ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files deletion. Using the specific GET parameter, unauthenticated attackers can remotely delete arbitrary files on the affected device and cause denial of service scenario.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-09-30T10:40:55", orgId: "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", shortName: "twcert", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.twcert.org.tw/tw/cp-132-5130-7de92-1.html", }, ], solutions: [ { lang: "en", value: "Contact tech support from ECOA.", }, ], source: { advisory: "TVN-202109010", discovery: "EXTERNAL", }, title: "ECOA BAS controller - Path Traversal-4", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { AKA: "TWCERT/CC", ASSIGNER: "cve@cert.org.tw", DATE_PUBLIC: "2021-09-30T10:13:00.000Z", ID: "CVE-2021-41294", STATE: "PUBLIC", TITLE: "ECOA BAS controller - Path Traversal-4", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "ECS Router Controller ECS (FLASH)", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster Terminator E6L45", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster System RB 3.0.0", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster System TRANE 1.0", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "Graphic Control Software", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "SmartHome II E9246", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskTerminator", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, ], }, vendor_name: "ECOA", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files deletion. Using the specific GET parameter, unauthenticated attackers can remotely delete arbitrary files on the affected device and cause denial of service scenario.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, ], }, ], }, references: { reference_data: [ { name: "https://www.twcert.org.tw/tw/cp-132-5130-7de92-1.html", refsource: "MISC", url: "https://www.twcert.org.tw/tw/cp-132-5130-7de92-1.html", }, ], }, solution: [ { lang: "en", value: "Contact tech support from ECOA.", }, ], source: { advisory: "TVN-202109010", discovery: "EXTERNAL", }, }, }, }, cveMetadata: { assignerOrgId: "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", assignerShortName: "twcert", cveId: "CVE-2021-41294", datePublished: "2021-09-30T10:40:55.828791Z", dateReserved: "2021-09-15T00:00:00", dateUpdated: "2024-09-17T03:53:41.840Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-41302
Vulnerability from cvelistv5
Published
2021-09-30 10:41
Modified
2024-09-16 20:21
Severity ?
EPSS score ?
Summary
ECOA BAS controller stores sensitive data (backup exports) in clear-text, thus the unauthenticated attacker can remotely query user password and obtain user’s privilege.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.twcert.org.tw/tw/cp-132-5138-d40ae-1.html | x_refsource_MISC |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T03:08:32.040Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.twcert.org.tw/tw/cp-132-5138-d40ae-1.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "ECS Router Controller ECS (FLASH)", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster Terminator E6L45", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster System RB 3.0.0", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster System TRANE 1.0", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "Graphic Control Software", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "SmartHome II E9246", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskTerminator", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, ], datePublic: "2021-09-30T00:00:00", descriptions: [ { lang: "en", value: "ECOA BAS controller stores sensitive data (backup exports) in clear-text, thus the unauthenticated attacker can remotely query user password and obtain user’s privilege.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.3, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-311", description: "CWE-311 Missing Encryption of Sensitive Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-09-30T10:41:08", orgId: "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", shortName: "twcert", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.twcert.org.tw/tw/cp-132-5138-d40ae-1.html", }, ], solutions: [ { lang: "en", value: "Contact tech support from ECOA.", }, ], source: { advisory: "TVN-202109018", discovery: "EXTERNAL", }, title: "ECOA BAS controller - Missing Encryption of Sensitive Data", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { AKA: "TWCERT/CC", ASSIGNER: "cve@cert.org.tw", DATE_PUBLIC: "2021-09-30T10:13:00.000Z", ID: "CVE-2021-41302", STATE: "PUBLIC", TITLE: "ECOA BAS controller - Missing Encryption of Sensitive Data", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "ECS Router Controller ECS (FLASH)", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster Terminator E6L45", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster System RB 3.0.0", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster System TRANE 1.0", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "Graphic Control Software", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "SmartHome II E9246", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskTerminator", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, ], }, vendor_name: "ECOA", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "ECOA BAS controller stores sensitive data (backup exports) in clear-text, thus the unauthenticated attacker can remotely query user password and obtain user’s privilege.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.3, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-311 Missing Encryption of Sensitive Data", }, ], }, ], }, references: { reference_data: [ { name: "https://www.twcert.org.tw/tw/cp-132-5138-d40ae-1.html", refsource: "MISC", url: "https://www.twcert.org.tw/tw/cp-132-5138-d40ae-1.html", }, ], }, solution: [ { lang: "en", value: "Contact tech support from ECOA.", }, ], source: { advisory: "TVN-202109018", discovery: "EXTERNAL", }, }, }, }, cveMetadata: { assignerOrgId: "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", assignerShortName: "twcert", cveId: "CVE-2021-41302", datePublished: "2021-09-30T10:41:08.156249Z", dateReserved: "2021-09-15T00:00:00", dateUpdated: "2024-09-16T20:21:36.719Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-41291
Vulnerability from cvelistv5
Published
2021-09-30 10:40
Modified
2024-09-16 23:36
Severity ?
EPSS score ?
Summary
ECOA BAS controller suffers from a path traversal content disclosure vulnerability. Using the GET parameter in File Manager, unauthenticated attackers can remotely disclose directory content on the affected device.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.twcert.org.tw/tw/cp-132-5127-3cbd3-1.html | x_refsource_MISC |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T03:08:31.853Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.twcert.org.tw/tw/cp-132-5127-3cbd3-1.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "ECS Router Controller ECS (FLASH)", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster Terminator E6L45", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster System RB 3.0.0", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster System TRANE 1.0", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "Graphic Control Software", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "SmartHome II E9246", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskTerminator", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, ], datePublic: "2021-09-30T00:00:00", descriptions: [ { lang: "en", value: "ECOA BAS controller suffers from a path traversal content disclosure vulnerability. Using the GET parameter in File Manager, unauthenticated attackers can remotely disclose directory content on the affected device.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-09-30T10:40:50", orgId: "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", shortName: "twcert", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.twcert.org.tw/tw/cp-132-5127-3cbd3-1.html", }, ], solutions: [ { lang: "en", value: "Contact tech support from ECOA.", }, ], source: { advisory: "TVN-202109007", discovery: "EXTERNAL", }, title: "ECOA BAS controller - Path Traversal-1", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { AKA: "TWCERT/CC", ASSIGNER: "cve@cert.org.tw", DATE_PUBLIC: "2021-09-30T10:13:00.000Z", ID: "CVE-2021-41291", STATE: "PUBLIC", TITLE: "ECOA BAS controller - Path Traversal-1", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "ECS Router Controller ECS (FLASH)", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster Terminator E6L45", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster System RB 3.0.0", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster System TRANE 1.0", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "Graphic Control Software", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "SmartHome II E9246", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskTerminator", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, ], }, vendor_name: "ECOA", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "ECOA BAS controller suffers from a path traversal content disclosure vulnerability. Using the GET parameter in File Manager, unauthenticated attackers can remotely disclose directory content on the affected device.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, ], }, ], }, references: { reference_data: [ { name: "https://www.twcert.org.tw/tw/cp-132-5127-3cbd3-1.html", refsource: "MISC", url: "https://www.twcert.org.tw/tw/cp-132-5127-3cbd3-1.html", }, ], }, solution: [ { lang: "en", value: "Contact tech support from ECOA.", }, ], source: { advisory: "TVN-202109007", discovery: "EXTERNAL", }, }, }, }, cveMetadata: { assignerOrgId: "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", assignerShortName: "twcert", cveId: "CVE-2021-41291", datePublished: "2021-09-30T10:40:51.070385Z", dateReserved: "2021-09-15T00:00:00", dateUpdated: "2024-09-16T23:36:07.656Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-41300
Vulnerability from cvelistv5
Published
2021-09-30 10:41
Modified
2024-09-16 23:41
Severity ?
EPSS score ?
Summary
ECOA BAS controller’s special page displays user account and passwords in plain text, thus unauthenticated attackers can access the page and obtain privilege with full functionality.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.twcert.org.tw/tw/cp-132-5136-3e315-1.html | x_refsource_MISC |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T03:08:31.890Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.twcert.org.tw/tw/cp-132-5136-3e315-1.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "ECS Router Controller ECS (FLASH)", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster Terminator E6L45", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster System RB 3.0.0", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster System TRANE 1.0", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "Graphic Control Software", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "SmartHome II E9246", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskTerminator", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, ], datePublic: "2021-09-30T00:00:00", descriptions: [ { lang: "en", value: "ECOA BAS controller’s special page displays user account and passwords in plain text, thus unauthenticated attackers can access the page and obtain privilege with full functionality.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-522", description: "CWE-522 Insufficiently Protected Credentials", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-09-30T10:41:05", orgId: "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", shortName: "twcert", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.twcert.org.tw/tw/cp-132-5136-3e315-1.html", }, ], solutions: [ { lang: "en", value: "Contact tech support from ECOA.", }, ], source: { advisory: "TVN-202109016", discovery: "EXTERNAL", }, title: "ECOA BAS controller - Insufficiently Protected Credentials-2", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { AKA: "TWCERT/CC", ASSIGNER: "cve@cert.org.tw", DATE_PUBLIC: "2021-09-30T10:13:00.000Z", ID: "CVE-2021-41300", STATE: "PUBLIC", TITLE: "ECOA BAS controller - Insufficiently Protected Credentials-2", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "ECS Router Controller ECS (FLASH)", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster Terminator E6L45", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster System RB 3.0.0", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster System TRANE 1.0", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "Graphic Control Software", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "SmartHome II E9246", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskTerminator", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, ], }, vendor_name: "ECOA", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "ECOA BAS controller’s special page displays user account and passwords in plain text, thus unauthenticated attackers can access the page and obtain privilege with full functionality.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-522 Insufficiently Protected Credentials", }, ], }, ], }, references: { reference_data: [ { name: "https://www.twcert.org.tw/tw/cp-132-5136-3e315-1.html", refsource: "MISC", url: "https://www.twcert.org.tw/tw/cp-132-5136-3e315-1.html", }, ], }, solution: [ { lang: "en", value: "Contact tech support from ECOA.", }, ], source: { advisory: "TVN-202109016", discovery: "EXTERNAL", }, }, }, }, cveMetadata: { assignerOrgId: "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", assignerShortName: "twcert", cveId: "CVE-2021-41300", datePublished: "2021-09-30T10:41:05.097264Z", dateReserved: "2021-09-15T00:00:00", dateUpdated: "2024-09-16T23:41:00.205Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-41293
Vulnerability from cvelistv5
Published
2021-09-30 10:40
Modified
2024-09-16 19:41
Severity ?
EPSS score ?
Summary
ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. Using the specific POST parameter, unauthenticated attackers can remotely disclose arbitrary files on the affected device and disclose sensitive and system information.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.twcert.org.tw/tw/cp-132-5129-7e623-1.html | x_refsource_MISC |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T03:08:31.883Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.twcert.org.tw/tw/cp-132-5129-7e623-1.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "ECS Router Controller ECS (FLASH)", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster Terminator E6L45", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster System RB 3.0.0", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster System TRANE 1.0", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "Graphic Control Software", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "SmartHome II E9246", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskTerminator", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, ], datePublic: "2021-09-30T00:00:00", descriptions: [ { lang: "en", value: "ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. Using the specific POST parameter, unauthenticated attackers can remotely disclose arbitrary files on the affected device and disclose sensitive and system information.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-09-30T10:40:54", orgId: "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", shortName: "twcert", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.twcert.org.tw/tw/cp-132-5129-7e623-1.html", }, ], solutions: [ { lang: "en", value: "Contact tech support from ECOA.", }, ], source: { advisory: "TVN-202109009", discovery: "EXTERNAL", }, title: "ECOA BAS controller - Path Traversal-3", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { AKA: "TWCERT/CC", ASSIGNER: "cve@cert.org.tw", DATE_PUBLIC: "2021-09-30T10:13:00.000Z", ID: "CVE-2021-41293", STATE: "PUBLIC", TITLE: "ECOA BAS controller - Path Traversal-3", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "ECS Router Controller ECS (FLASH)", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster Terminator E6L45", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster System RB 3.0.0", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster System TRANE 1.0", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "Graphic Control Software", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "SmartHome II E9246", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskTerminator", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, ], }, vendor_name: "ECOA", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. Using the specific POST parameter, unauthenticated attackers can remotely disclose arbitrary files on the affected device and disclose sensitive and system information.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, ], }, ], }, references: { reference_data: [ { name: "https://www.twcert.org.tw/tw/cp-132-5129-7e623-1.html", refsource: "MISC", url: "https://www.twcert.org.tw/tw/cp-132-5129-7e623-1.html", }, ], }, solution: [ { lang: "en", value: "Contact tech support from ECOA.", }, ], source: { advisory: "TVN-202109009", discovery: "EXTERNAL", }, }, }, }, cveMetadata: { assignerOrgId: "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", assignerShortName: "twcert", cveId: "CVE-2021-41293", datePublished: "2021-09-30T10:40:54.205787Z", dateReserved: "2021-09-15T00:00:00", dateUpdated: "2024-09-16T19:41:34.779Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-41299
Vulnerability from cvelistv5
Published
2021-09-30 10:41
Modified
2024-09-16 17:22
Severity ?
EPSS score ?
Summary
ECOA BAS controller is vulnerable to hard-coded credentials within its Linux distribution image, thus remote attackers can obtain administrator’s privilege without logging in.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.twcert.org.tw/tw/cp-132-5135-a9f5c-1.html | x_refsource_MISC |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T03:08:31.989Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.twcert.org.tw/tw/cp-132-5135-a9f5c-1.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "ECS Router Controller ECS (FLASH)", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster Terminator E6L45", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster System RB 3.0.0", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster System TRANE 1.0", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "Graphic Control Software", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "SmartHome II E9246", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskTerminator", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, ], datePublic: "2021-09-30T00:00:00", descriptions: [ { lang: "en", value: "ECOA BAS controller is vulnerable to hard-coded credentials within its Linux distribution image, thus remote attackers can obtain administrator’s privilege without logging in.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-798", description: "CWE-798 Use of Hard-coded Credentials", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-09-30T10:41:03", orgId: "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", shortName: "twcert", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.twcert.org.tw/tw/cp-132-5135-a9f5c-1.html", }, ], solutions: [ { lang: "en", value: "Contact tech support from ECOA.", }, ], source: { advisory: "TVN-202109015", discovery: "EXTERNAL", }, title: "ECOA BAS controller - Use of Hard-coded Credentials", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { AKA: "TWCERT/CC", ASSIGNER: "cve@cert.org.tw", DATE_PUBLIC: "2021-09-30T10:13:00.000Z", ID: "CVE-2021-41299", STATE: "PUBLIC", TITLE: "ECOA BAS controller - Use of Hard-coded Credentials", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "ECS Router Controller ECS (FLASH)", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster Terminator E6L45", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster System RB 3.0.0", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster System TRANE 1.0", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "Graphic Control Software", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "SmartHome II E9246", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskTerminator", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, ], }, vendor_name: "ECOA", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "ECOA BAS controller is vulnerable to hard-coded credentials within its Linux distribution image, thus remote attackers can obtain administrator’s privilege without logging in.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-798 Use of Hard-coded Credentials", }, ], }, ], }, references: { reference_data: [ { name: "https://www.twcert.org.tw/tw/cp-132-5135-a9f5c-1.html", refsource: "MISC", url: "https://www.twcert.org.tw/tw/cp-132-5135-a9f5c-1.html", }, ], }, solution: [ { lang: "en", value: "Contact tech support from ECOA.", }, ], source: { advisory: "TVN-202109015", discovery: "EXTERNAL", }, }, }, }, cveMetadata: { assignerOrgId: "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", assignerShortName: "twcert", cveId: "CVE-2021-41299", datePublished: "2021-09-30T10:41:03.577361Z", dateReserved: "2021-09-15T00:00:00", dateUpdated: "2024-09-16T17:22:44.543Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-41296
Vulnerability from cvelistv5
Published
2021-09-30 10:40
Modified
2024-09-17 03:17
Severity ?
EPSS score ?
Summary
ECOA BAS controller uses weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.twcert.org.tw/tw/cp-132-5132-65705-1.html | x_refsource_MISC |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T03:08:31.927Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.twcert.org.tw/tw/cp-132-5132-65705-1.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "ECS Router Controller ECS (FLASH)", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster Terminator E6L45", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster System RB 3.0.0", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster System TRANE 1.0", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "Graphic Control Software", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "SmartHome II E9246", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskTerminator", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, ], datePublic: "2021-09-30T00:00:00", descriptions: [ { lang: "en", value: "ECOA BAS controller uses weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-521", description: "CWE-521 Weak Password Requirements", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-09-30T10:40:58", orgId: "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", shortName: "twcert", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.twcert.org.tw/tw/cp-132-5132-65705-1.html", }, ], solutions: [ { lang: "en", value: "Contact tech support from ECOA.", }, ], source: { advisory: "TVN-202109012", discovery: "EXTERNAL", }, title: "ECOA BAS controller - Weak Password Requirements", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { AKA: "TWCERT/CC", ASSIGNER: "cve@cert.org.tw", DATE_PUBLIC: "2021-09-30T10:13:00.000Z", ID: "CVE-2021-41296", STATE: "PUBLIC", TITLE: "ECOA BAS controller - Weak Password Requirements", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "ECS Router Controller ECS (FLASH)", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster Terminator E6L45", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster System RB 3.0.0", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster System TRANE 1.0", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "Graphic Control Software", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "SmartHome II E9246", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskTerminator", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, ], }, vendor_name: "ECOA", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "ECOA BAS controller uses weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-521 Weak Password Requirements", }, ], }, ], }, references: { reference_data: [ { name: "https://www.twcert.org.tw/tw/cp-132-5132-65705-1.html", refsource: "MISC", url: "https://www.twcert.org.tw/tw/cp-132-5132-65705-1.html", }, ], }, solution: [ { lang: "en", value: "Contact tech support from ECOA.", }, ], source: { advisory: "TVN-202109012", discovery: "EXTERNAL", }, }, }, }, cveMetadata: { assignerOrgId: "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", assignerShortName: "twcert", cveId: "CVE-2021-41296", datePublished: "2021-09-30T10:40:58.921644Z", dateReserved: "2021-09-15T00:00:00", dateUpdated: "2024-09-17T03:17:33.292Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-41292
Vulnerability from cvelistv5
Published
2021-09-30 10:40
Modified
2024-09-17 03:32
Severity ?
EPSS score ?
Summary
ECOA BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can remotely bypass authentication and disclose sensitive information and circumvent physical access controls in smart homes and buildings and manipulate HVAC.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.twcert.org.tw/tw/cp-132-5128-b075a-1.html | x_refsource_MISC |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T03:08:31.993Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.twcert.org.tw/tw/cp-132-5128-b075a-1.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "ECS Router Controller ECS (FLASH)", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster Terminator E6L45", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster System RB 3.0.0", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster System TRANE 1.0", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "Graphic Control Software", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "SmartHome II E9246", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskTerminator", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, ], datePublic: "2021-09-30T00:00:00", descriptions: [ { lang: "en", value: "ECOA BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can remotely bypass authentication and disclose sensitive information and circumvent physical access controls in smart homes and buildings and manipulate HVAC.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-288", description: "CWE-288 Authentication Bypass Using an Alternate Path or Channel", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-09-30T10:40:52", orgId: "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", shortName: "twcert", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.twcert.org.tw/tw/cp-132-5128-b075a-1.html", }, ], solutions: [ { lang: "en", value: "Contact tech support from ECOA.", }, ], source: { advisory: "TVN-202109008", discovery: "EXTERNAL", }, title: "ECOA BAS controller - Broken Authentication", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { AKA: "TWCERT/CC", ASSIGNER: "cve@cert.org.tw", DATE_PUBLIC: "2021-09-30T10:13:00.000Z", ID: "CVE-2021-41292", STATE: "PUBLIC", TITLE: "ECOA BAS controller - Broken Authentication", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "ECS Router Controller ECS (FLASH)", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster Terminator E6L45", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster System RB 3.0.0", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster System TRANE 1.0", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "Graphic Control Software", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "SmartHome II E9246", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskTerminator", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, ], }, vendor_name: "ECOA", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "ECOA BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can remotely bypass authentication and disclose sensitive information and circumvent physical access controls in smart homes and buildings and manipulate HVAC.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-288 Authentication Bypass Using an Alternate Path or Channel", }, ], }, ], }, references: { reference_data: [ { name: "https://www.twcert.org.tw/tw/cp-132-5128-b075a-1.html", refsource: "MISC", url: "https://www.twcert.org.tw/tw/cp-132-5128-b075a-1.html", }, ], }, solution: [ { lang: "en", value: "Contact tech support from ECOA.", }, ], source: { advisory: "TVN-202109008", discovery: "EXTERNAL", }, }, }, }, cveMetadata: { assignerOrgId: "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", assignerShortName: "twcert", cveId: "CVE-2021-41292", datePublished: "2021-09-30T10:40:52.625489Z", dateReserved: "2021-09-15T00:00:00", dateUpdated: "2024-09-17T03:32:30.239Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-41298
Vulnerability from cvelistv5
Published
2021-09-30 10:41
Modified
2024-09-16 20:16
Severity ?
EPSS score ?
Summary
ECOA BAS controller is vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers with general user's privilege can remotely bypass authorization and access the hidden resources in the system and execute privileged functionalities.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.twcert.org.tw/tw/cp-132-5134-39f74-1.html | x_refsource_MISC |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T03:08:31.834Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.twcert.org.tw/tw/cp-132-5134-39f74-1.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "ECS Router Controller ECS (FLASH)", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster Terminator E6L45", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster System RB 3.0.0", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskBuster System TRANE 1.0", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "Graphic Control Software", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "SmartHome II E9246", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, { product: "RiskTerminator", vendor: "ECOA", versions: [ { lessThan: "unspecified", status: "unknown", version: "next of 0", versionType: "custom", }, ], }, ], datePublic: "2021-09-30T00:00:00", descriptions: [ { lang: "en", value: "ECOA BAS controller is vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers with general user's privilege can remotely bypass authorization and access the hidden resources in the system and execute privileged functionalities.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-284", description: "CWE-284 Improper Access Control", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-09-30T10:41:01", orgId: "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", shortName: "twcert", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.twcert.org.tw/tw/cp-132-5134-39f74-1.html", }, ], solutions: [ { lang: "en", value: "Contact tech support from ECOA.", }, ], source: { advisory: "TVN-202109014", discovery: "EXTERNAL", }, title: "ECOA BAS controller - Improper Access Control", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { AKA: "TWCERT/CC", ASSIGNER: "cve@cert.org.tw", DATE_PUBLIC: "2021-09-30T10:13:00.000Z", ID: "CVE-2021-41298", STATE: "PUBLIC", TITLE: "ECOA BAS controller - Improper Access Control", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "ECS Router Controller ECS (FLASH)", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster Terminator E6L45", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster System RB 3.0.0", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskBuster System TRANE 1.0", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "Graphic Control Software", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "SmartHome II E9246", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, { product_name: "RiskTerminator", version: { version_data: [ { version_affected: "?>", version_value: "0", }, ], }, }, ], }, vendor_name: "ECOA", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "ECOA BAS controller is vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers with general user's privilege can remotely bypass authorization and access the hidden resources in the system and execute privileged functionalities.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-284 Improper Access Control", }, ], }, ], }, references: { reference_data: [ { name: "https://www.twcert.org.tw/tw/cp-132-5134-39f74-1.html", refsource: "MISC", url: "https://www.twcert.org.tw/tw/cp-132-5134-39f74-1.html", }, ], }, solution: [ { lang: "en", value: "Contact tech support from ECOA.", }, ], source: { advisory: "TVN-202109014", discovery: "EXTERNAL", }, }, }, }, cveMetadata: { assignerOrgId: "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", assignerShortName: "twcert", cveId: "CVE-2021-41298", datePublished: "2021-09-30T10:41:02.047884Z", dateReserved: "2021-09-15T00:00:00", dateUpdated: "2024-09-16T20:16:40.291Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Vulnerability from fkie_nvd
Published
2021-09-30 11:15
Modified
2024-11-21 06:25
Severity ?
Summary
ECOA BAS controller is vulnerable to configuration disclosure when direct object reference is made to the specific files using an HTTP GET request. This will enable the unauthenticated attacker to remotely disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| twcert@cert.org.tw | https://www.twcert.org.tw/tw/cp-132-5137-730a6-1.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.twcert.org.tw/tw/cp-132-5137-730a6-1.html | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ecoa | ecs_router_controller-ecs_firmware | - | |
| ecoa | ecs_router_controller-ecs | * | |
| ecoa | riskbuster_firmware | - | |
| ecoa | riskbuster | * | |
| ecoa | riskterminator | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:ecoa:ecs_router_controller-ecs_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "E80292D1-E3AD-42B6-A63E-3546010B97A3", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:ecoa:ecs_router_controller-ecs:*:*:*:*:*:*:*:*", matchCriteriaId: "635093E9-E45C-422E-8F98-D775ABBBCB91", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:ecoa:riskbuster_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "19A28430-AB2B-423F-82D4-FC0E3A6DF335", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:ecoa:riskbuster:*:*:*:*:*:*:*:*", matchCriteriaId: "65970728-0CAC-475F-BFE7-AB8AD3A95754", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:ecoa:riskterminator:-:*:*:*:*:*:*:*", matchCriteriaId: "841DF575-8E63-4AB4-A6F9-77C28FC65BCE", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "ECOA BAS controller is vulnerable to configuration disclosure when direct object reference is made to the specific files using an HTTP GET request. This will enable the unauthenticated attacker to remotely disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.", }, { lang: "es", value: "El controlador ECOA BAS es vulnerable a una divulgación de la configuración cuando se hace referencia directa a los archivos específicos mediante una petición HTTP GET. Esto permitirá al atacante no autenticado divulgar remotamente información confidencial y le ayudará a omitir la autenticación, escalar privilegios y conseguir acceso total al sistema", }, ], id: "CVE-2021-41301", lastModified: "2024-11-21T06:25:59.980", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 10, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:N/AC:L/Au:N/C:C/I:C/A:C", version: "2.0", }, exploitabilityScore: 10, impactScore: 10, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "twcert@cert.org.tw", type: "Secondary", }, ], }, published: "2021-09-30T11:15:07.977", references: [ { source: "twcert@cert.org.tw", tags: [ "Third Party Advisory", ], url: "https://www.twcert.org.tw/tw/cp-132-5137-730a6-1.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.twcert.org.tw/tw/cp-132-5137-730a6-1.html", }, ], sourceIdentifier: "twcert@cert.org.tw", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-200", }, ], source: "twcert@cert.org.tw", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-639", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-09-30 11:15
Modified
2024-11-21 06:25
Severity ?
Summary
ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. Using the specific POST parameter, unauthenticated attackers can remotely disclose arbitrary files on the affected device and disclose sensitive and system information.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| twcert@cert.org.tw | https://www.twcert.org.tw/tw/cp-132-5129-7e623-1.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.twcert.org.tw/tw/cp-132-5129-7e623-1.html | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ecoa | ecs_router_controller-ecs_firmware | - | |
| ecoa | ecs_router_controller-ecs | - | |
| ecoa | riskbuster_firmware | - | |
| ecoa | riskbuster | - | |
| ecoa | riskterminator | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:ecoa:ecs_router_controller-ecs_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "E80292D1-E3AD-42B6-A63E-3546010B97A3", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:ecoa:ecs_router_controller-ecs:-:*:*:*:*:*:*:*", matchCriteriaId: "541B6C82-F00E-4BFC-9947-A55B2F4EDD06", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:ecoa:riskbuster_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "19A28430-AB2B-423F-82D4-FC0E3A6DF335", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:ecoa:riskbuster:-:*:*:*:*:*:*:*", matchCriteriaId: "58A6F2A4-A7DA-4A88-B572-917FFC80ADC1", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:ecoa:riskterminator:-:*:*:*:*:*:*:*", matchCriteriaId: "841DF575-8E63-4AB4-A6F9-77C28FC65BCE", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. Using the specific POST parameter, unauthenticated attackers can remotely disclose arbitrary files on the affected device and disclose sensitive and system information.", }, { lang: "es", value: "El controlador ECOA BAS sufre una vulnerabilidad de salto de ruta, causando la divulgación de archivos arbitrarios. usando el parámetro POST específico, unos atacantes no autenticados pueden divulgar remotamente archivos arbitrarios en el dispositivo afectado y divulgar información confidencial y del sistema", }, ], id: "CVE-2021-41293", lastModified: "2024-11-21T06:25:58.907", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "twcert@cert.org.tw", type: "Secondary", }, ], }, published: "2021-09-30T11:15:07.540", references: [ { source: "twcert@cert.org.tw", tags: [ "Third Party Advisory", ], url: "https://www.twcert.org.tw/tw/cp-132-5129-7e623-1.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.twcert.org.tw/tw/cp-132-5129-7e623-1.html", }, ], sourceIdentifier: "twcert@cert.org.tw", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "twcert@cert.org.tw", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-09-30 11:15
Modified
2024-11-21 06:25
Severity ?
Summary
ECOA BAS controller has a Cross-Site Request Forgery vulnerability, thus authenticated attacker can remotely place a forged request at a malicious web page and execute CRUD commands (GET, POST, PUT, DELETE) to perform arbitrary operations in the system.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| twcert@cert.org.tw | https://www.twcert.org.tw/tw/cp-132-5131-c653b-1.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.twcert.org.tw/tw/cp-132-5131-c653b-1.html | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ecoa | ecs_router_controller-ecs_firmware | - | |
| ecoa | ecs_router_controller-ecs | - | |
| ecoa | riskbuster_firmware | - | |
| ecoa | riskbuster | - | |
| ecoa | riskterminator | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:ecoa:ecs_router_controller-ecs_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "E80292D1-E3AD-42B6-A63E-3546010B97A3", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:ecoa:ecs_router_controller-ecs:-:*:*:*:*:*:*:*", matchCriteriaId: "541B6C82-F00E-4BFC-9947-A55B2F4EDD06", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:ecoa:riskbuster_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "19A28430-AB2B-423F-82D4-FC0E3A6DF335", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:ecoa:riskbuster:-:*:*:*:*:*:*:*", matchCriteriaId: "58A6F2A4-A7DA-4A88-B572-917FFC80ADC1", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:ecoa:riskterminator:-:*:*:*:*:*:*:*", matchCriteriaId: "841DF575-8E63-4AB4-A6F9-77C28FC65BCE", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "ECOA BAS controller has a Cross-Site Request Forgery vulnerability, thus authenticated attacker can remotely place a forged request at a malicious web page and execute CRUD commands (GET, POST, PUT, DELETE) to perform arbitrary operations in the system.", }, { lang: "es", value: "El controlador ECOA BAS presenta una vulnerabilidad de tipo Cross-Site Request Forgery, por lo que un atacante autenticado puede colocar remotamente una petición falsificada en una página web maliciosa y ejecutar comandos CRUD (GET, POST, PUT, DELETE) para llevar a cabo operaciones arbitrarias en el sistema", }, ], id: "CVE-2021-41295", lastModified: "2024-11-21T06:25:59.177", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "twcert@cert.org.tw", type: "Secondary", }, ], }, published: "2021-09-30T11:15:07.653", references: [ { source: "twcert@cert.org.tw", tags: [ "Third Party Advisory", ], url: "https://www.twcert.org.tw/tw/cp-132-5131-c653b-1.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.twcert.org.tw/tw/cp-132-5131-c653b-1.html", }, ], sourceIdentifier: "twcert@cert.org.tw", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-352", }, ], source: "twcert@cert.org.tw", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-09-30 11:15
Modified
2024-11-21 06:25
Severity ?
Summary
ECOA BAS controller is vulnerable to weak access control mechanism allowing authenticated user to remotely escalate privileges by disclosing credentials of administrative accounts in plain-text.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| twcert@cert.org.tw | https://www.twcert.org.tw/tw/cp-132-5133-f3c4b-1.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.twcert.org.tw/tw/cp-132-5133-f3c4b-1.html | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ecoa | ecs_router_controller-ecs_firmware | - | |
| ecoa | ecs_router_controller-ecs | - | |
| ecoa | riskbuster_firmware | - | |
| ecoa | riskbuster | - | |
| ecoa | riskterminator | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:ecoa:ecs_router_controller-ecs_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "E80292D1-E3AD-42B6-A63E-3546010B97A3", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:ecoa:ecs_router_controller-ecs:-:*:*:*:*:*:*:*", matchCriteriaId: "541B6C82-F00E-4BFC-9947-A55B2F4EDD06", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:ecoa:riskbuster_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "19A28430-AB2B-423F-82D4-FC0E3A6DF335", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:ecoa:riskbuster:-:*:*:*:*:*:*:*", matchCriteriaId: "58A6F2A4-A7DA-4A88-B572-917FFC80ADC1", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:ecoa:riskterminator:-:*:*:*:*:*:*:*", matchCriteriaId: "841DF575-8E63-4AB4-A6F9-77C28FC65BCE", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "ECOA BAS controller is vulnerable to weak access control mechanism allowing authenticated user to remotely escalate privileges by disclosing credentials of administrative accounts in plain-text.", }, { lang: "es", value: "El controlador ECOA BAS es vulnerable a un mecanismo de control de acceso débil permitiendo al usuario autenticado escalar remotamente sus privilegios al divulgar las credenciales de las cuentas administrativas en texto plano", }, ], id: "CVE-2021-41297", lastModified: "2024-11-21T06:25:59.437", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "twcert@cert.org.tw", type: "Secondary", }, ], }, published: "2021-09-30T11:15:07.760", references: [ { source: "twcert@cert.org.tw", tags: [ "Third Party Advisory", ], url: "https://www.twcert.org.tw/tw/cp-132-5133-f3c4b-1.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.twcert.org.tw/tw/cp-132-5133-f3c4b-1.html", }, ], sourceIdentifier: "twcert@cert.org.tw", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-522", }, ], source: "twcert@cert.org.tw", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-09-30 11:15
Modified
2024-11-21 06:25
Severity ?
Summary
ECOA BAS controller is vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers with general user's privilege can remotely bypass authorization and access the hidden resources in the system and execute privileged functionalities.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| twcert@cert.org.tw | https://www.twcert.org.tw/tw/cp-132-5134-39f74-1.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.twcert.org.tw/tw/cp-132-5134-39f74-1.html | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ecoa | ecs_router_controller-ecs_firmware | - | |
| ecoa | ecs_router_controller-ecs | - | |
| ecoa | riskbuster_firmware | - | |
| ecoa | riskbuster | - | |
| ecoa | riskterminator | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:ecoa:ecs_router_controller-ecs_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "E80292D1-E3AD-42B6-A63E-3546010B97A3", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:ecoa:ecs_router_controller-ecs:-:*:*:*:*:*:*:*", matchCriteriaId: "541B6C82-F00E-4BFC-9947-A55B2F4EDD06", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:ecoa:riskbuster_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "19A28430-AB2B-423F-82D4-FC0E3A6DF335", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:ecoa:riskbuster:-:*:*:*:*:*:*:*", matchCriteriaId: "58A6F2A4-A7DA-4A88-B572-917FFC80ADC1", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:ecoa:riskterminator:-:*:*:*:*:*:*:*", matchCriteriaId: "841DF575-8E63-4AB4-A6F9-77C28FC65BCE", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "ECOA BAS controller is vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers with general user's privilege can remotely bypass authorization and access the hidden resources in the system and execute privileged functionalities.", }, { lang: "es", value: "El controlador ECOA BAS es vulnerable a las referencias directas a objetos no seguro que se producen cuando la aplicación proporciona acceso directo a objetos basados en la entrada suministrada por el usuario. Como resultado de esta vulnerabilidad, unos atacantes con privilegio de usuario general pueden omitir la autorización de forma remota y acceder a los recursos ocultos del sistema y ejecutar funcionalidades privilegiadas", }, ], id: "CVE-2021-41298", lastModified: "2024-11-21T06:25:59.567", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "twcert@cert.org.tw", type: "Secondary", }, ], }, published: "2021-09-30T11:15:07.813", references: [ { source: "twcert@cert.org.tw", tags: [ "Third Party Advisory", ], url: "https://www.twcert.org.tw/tw/cp-132-5134-39f74-1.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.twcert.org.tw/tw/cp-132-5134-39f74-1.html", }, ], sourceIdentifier: "twcert@cert.org.tw", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-284", }, ], source: "twcert@cert.org.tw", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-639", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-09-30 11:15
Modified
2024-11-21 06:25
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Summary
ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files deletion. Using the specific GET parameter, unauthenticated attackers can remotely delete arbitrary files on the affected device and cause denial of service scenario.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| twcert@cert.org.tw | https://www.twcert.org.tw/tw/cp-132-5130-7de92-1.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.twcert.org.tw/tw/cp-132-5130-7de92-1.html | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ecoa | ecs_router_controller-ecs_firmware | - | |
| ecoa | ecs_router_controller-ecs | - | |
| ecoa | riskbuster_firmware | - | |
| ecoa | riskbuster | - | |
| ecoa | riskterminator | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:ecoa:ecs_router_controller-ecs_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "E80292D1-E3AD-42B6-A63E-3546010B97A3", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:ecoa:ecs_router_controller-ecs:-:*:*:*:*:*:*:*", matchCriteriaId: "541B6C82-F00E-4BFC-9947-A55B2F4EDD06", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:ecoa:riskbuster_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "19A28430-AB2B-423F-82D4-FC0E3A6DF335", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:ecoa:riskbuster:-:*:*:*:*:*:*:*", matchCriteriaId: "58A6F2A4-A7DA-4A88-B572-917FFC80ADC1", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:ecoa:riskterminator:-:*:*:*:*:*:*:*", matchCriteriaId: "841DF575-8E63-4AB4-A6F9-77C28FC65BCE", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files deletion. Using the specific GET parameter, unauthenticated attackers can remotely delete arbitrary files on the affected device and cause denial of service scenario.", }, { lang: "es", value: "El controlador ECOA BAS sufre una vulnerabilidad de salto de ruta, causando el borrado arbitrario de archivos. usando el parámetro GET específico, unos atacantes no autenticados pueden eliminar remotamente archivos arbitrarios en el dispositivo afectado y causar un escenario de denegación de servicio", }, ], id: "CVE-2021-41294", lastModified: "2024-11-21T06:25:59.047", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.4, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.2, source: "twcert@cert.org.tw", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.2, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-09-30T11:15:07.600", references: [ { source: "twcert@cert.org.tw", tags: [ "Third Party Advisory", ], url: "https://www.twcert.org.tw/tw/cp-132-5130-7de92-1.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.twcert.org.tw/tw/cp-132-5130-7de92-1.html", }, ], sourceIdentifier: "twcert@cert.org.tw", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "twcert@cert.org.tw", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-09-30 11:15
Modified
2024-11-21 06:25
Severity ?
Summary
ECOA BAS controller is vulnerable to hard-coded credentials within its Linux distribution image, thus remote attackers can obtain administrator’s privilege without logging in.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| twcert@cert.org.tw | https://www.twcert.org.tw/tw/cp-132-5135-a9f5c-1.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.twcert.org.tw/tw/cp-132-5135-a9f5c-1.html | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ecoa | ecs_router_controller-ecs_firmware | - | |
| ecoa | ecs_router_controller-ecs | - | |
| ecoa | riskbuster_firmware | - | |
| ecoa | riskbuster | - | |
| ecoa | riskterminator | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:ecoa:ecs_router_controller-ecs_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "E80292D1-E3AD-42B6-A63E-3546010B97A3", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:ecoa:ecs_router_controller-ecs:-:*:*:*:*:*:*:*", matchCriteriaId: "541B6C82-F00E-4BFC-9947-A55B2F4EDD06", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:ecoa:riskbuster_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "19A28430-AB2B-423F-82D4-FC0E3A6DF335", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:ecoa:riskbuster:-:*:*:*:*:*:*:*", matchCriteriaId: "58A6F2A4-A7DA-4A88-B572-917FFC80ADC1", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:ecoa:riskterminator:-:*:*:*:*:*:*:*", matchCriteriaId: "841DF575-8E63-4AB4-A6F9-77C28FC65BCE", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "ECOA BAS controller is vulnerable to hard-coded credentials within its Linux distribution image, thus remote attackers can obtain administrator’s privilege without logging in.", }, { lang: "es", value: "El controlador ECOA BAS es vulnerable a unas credenciales embebidas en su imagen de distribución de Linux, por lo que los atacantes remotos pueden alcanzar privilegios de administrador sin iniciar sesión", }, ], id: "CVE-2021-41299", lastModified: "2024-11-21T06:25:59.707", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 10, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:N/AC:L/Au:N/C:C/I:C/A:C", version: "2.0", }, exploitabilityScore: 10, impactScore: 10, obtainAllPrivilege: true, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "twcert@cert.org.tw", type: "Secondary", }, ], }, published: "2021-09-30T11:15:07.867", references: [ { source: "twcert@cert.org.tw", tags: [ "Third Party Advisory", ], url: "https://www.twcert.org.tw/tw/cp-132-5135-a9f5c-1.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.twcert.org.tw/tw/cp-132-5135-a9f5c-1.html", }, ], sourceIdentifier: "twcert@cert.org.tw", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-798", }, ], source: "twcert@cert.org.tw", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-09-30 11:15
Modified
2024-11-21 06:25
Severity ?
Summary
ECOA BAS controller uses weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| twcert@cert.org.tw | https://www.twcert.org.tw/tw/cp-132-5132-65705-1.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.twcert.org.tw/tw/cp-132-5132-65705-1.html | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ecoa | ecs_router_controller-ecs_firmware | - | |
| ecoa | ecs_router_controller-ecs | - | |
| ecoa | riskbuster_firmware | - | |
| ecoa | riskbuster | - | |
| ecoa | riskterminator | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:ecoa:ecs_router_controller-ecs_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "E80292D1-E3AD-42B6-A63E-3546010B97A3", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:ecoa:ecs_router_controller-ecs:-:*:*:*:*:*:*:*", matchCriteriaId: "541B6C82-F00E-4BFC-9947-A55B2F4EDD06", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:ecoa:riskbuster_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "19A28430-AB2B-423F-82D4-FC0E3A6DF335", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:ecoa:riskbuster:-:*:*:*:*:*:*:*", matchCriteriaId: "58A6F2A4-A7DA-4A88-B572-917FFC80ADC1", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:ecoa:riskterminator:-:*:*:*:*:*:*:*", matchCriteriaId: "841DF575-8E63-4AB4-A6F9-77C28FC65BCE", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "ECOA BAS controller uses weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system.", }, { lang: "es", value: "El controlador ECOA BAS usa un conjunto débil de credenciales administrativas predeterminadas que pueden ser fácilmente adivinadas en ataques de contraseñas remotas y conseguir el control total del sistema", }, ], id: "CVE-2021-41296", lastModified: "2024-11-21T06:25:59.303", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "twcert@cert.org.tw", type: "Secondary", }, ], }, published: "2021-09-30T11:15:07.707", references: [ { source: "twcert@cert.org.tw", tags: [ "Third Party Advisory", ], url: "https://www.twcert.org.tw/tw/cp-132-5132-65705-1.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.twcert.org.tw/tw/cp-132-5132-65705-1.html", }, ], sourceIdentifier: "twcert@cert.org.tw", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-521", }, ], source: "twcert@cert.org.tw", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-09-30 11:15
Modified
2024-11-21 06:25
Severity ?
Summary
ECOA BAS controller’s special page displays user account and passwords in plain text, thus unauthenticated attackers can access the page and obtain privilege with full functionality.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| twcert@cert.org.tw | https://www.twcert.org.tw/tw/cp-132-5136-3e315-1.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.twcert.org.tw/tw/cp-132-5136-3e315-1.html | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ecoa | ecs_router_controller-ecs_firmware | - | |
| ecoa | ecs_router_controller-ecs | - | |
| ecoa | riskbuster_firmware | - | |
| ecoa | riskbuster | - | |
| ecoa | riskterminator | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:ecoa:ecs_router_controller-ecs_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "E80292D1-E3AD-42B6-A63E-3546010B97A3", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:ecoa:ecs_router_controller-ecs:-:*:*:*:*:*:*:*", matchCriteriaId: "541B6C82-F00E-4BFC-9947-A55B2F4EDD06", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:ecoa:riskbuster_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "19A28430-AB2B-423F-82D4-FC0E3A6DF335", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:ecoa:riskbuster:-:*:*:*:*:*:*:*", matchCriteriaId: "58A6F2A4-A7DA-4A88-B572-917FFC80ADC1", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:ecoa:riskterminator:-:*:*:*:*:*:*:*", matchCriteriaId: "841DF575-8E63-4AB4-A6F9-77C28FC65BCE", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "ECOA BAS controller’s special page displays user account and passwords in plain text, thus unauthenticated attackers can access the page and obtain privilege with full functionality.", }, { lang: "es", value: "La página especial del controlador ECOA BAS muestra la cuenta de usuario y las contraseñas en texto plano, por lo que unos atacantes no autenticados pueden acceder a la página y alcanzar privilegios con plena funcionalidad", }, ], id: "CVE-2021-41300", lastModified: "2024-11-21T06:25:59.830", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "twcert@cert.org.tw", type: "Secondary", }, ], }, published: "2021-09-30T11:15:07.923", references: [ { source: "twcert@cert.org.tw", tags: [ "Third Party Advisory", ], url: "https://www.twcert.org.tw/tw/cp-132-5136-3e315-1.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.twcert.org.tw/tw/cp-132-5136-3e315-1.html", }, ], sourceIdentifier: "twcert@cert.org.tw", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-522", }, ], source: "twcert@cert.org.tw", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-522", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-09-30 11:15
Modified
2024-11-21 06:25
Severity ?
Summary
ECOA BAS controller suffers from a path traversal content disclosure vulnerability. Using the GET parameter in File Manager, unauthenticated attackers can remotely disclose directory content on the affected device.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| twcert@cert.org.tw | https://www.twcert.org.tw/tw/cp-132-5127-3cbd3-1.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.twcert.org.tw/tw/cp-132-5127-3cbd3-1.html | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ecoa | ecs_router_controller-ecs_firmware | - | |
| ecoa | ecs_router_controller-ecs | - | |
| ecoa | riskbuster_firmware | - | |
| ecoa | riskbuster | - | |
| ecoa | riskterminator | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:ecoa:ecs_router_controller-ecs_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "E80292D1-E3AD-42B6-A63E-3546010B97A3", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:ecoa:ecs_router_controller-ecs:-:*:*:*:*:*:*:*", matchCriteriaId: "541B6C82-F00E-4BFC-9947-A55B2F4EDD06", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:ecoa:riskbuster_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "19A28430-AB2B-423F-82D4-FC0E3A6DF335", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:ecoa:riskbuster:-:*:*:*:*:*:*:*", matchCriteriaId: "58A6F2A4-A7DA-4A88-B572-917FFC80ADC1", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:ecoa:riskterminator:-:*:*:*:*:*:*:*", matchCriteriaId: "841DF575-8E63-4AB4-A6F9-77C28FC65BCE", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "ECOA BAS controller suffers from a path traversal content disclosure vulnerability. Using the GET parameter in File Manager, unauthenticated attackers can remotely disclose directory content on the affected device.", }, { lang: "es", value: "El controlador ECOA BAS sufre una vulnerabilidad de divulgación de contenido de salto de ruta. usando el parámetro GET en el Administrador de Archivos, unos atacantes no autenticados pueden divulgar remotamente el contenido del directorio en el dispositivo afectado", }, ], id: "CVE-2021-41291", lastModified: "2024-11-21T06:25:58.637", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "twcert@cert.org.tw", type: "Secondary", }, ], }, published: "2021-09-30T11:15:07.423", references: [ { source: "twcert@cert.org.tw", tags: [ "Third Party Advisory", ], url: "https://www.twcert.org.tw/tw/cp-132-5127-3cbd3-1.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.twcert.org.tw/tw/cp-132-5127-3cbd3-1.html", }, ], sourceIdentifier: "twcert@cert.org.tw", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "twcert@cert.org.tw", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-09-30 11:15
Modified
2024-11-21 06:26
Severity ?
Summary
ECOA BAS controller stores sensitive data (backup exports) in clear-text, thus the unauthenticated attacker can remotely query user password and obtain user’s privilege.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| twcert@cert.org.tw | https://www.twcert.org.tw/tw/cp-132-5138-d40ae-1.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.twcert.org.tw/tw/cp-132-5138-d40ae-1.html | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ecoa | ecs_router_controller-ecs_firmware | - | |
| ecoa | ecs_router_controller-ecs | - | |
| ecoa | riskbuster_firmware | - | |
| ecoa | riskbuster | - | |
| ecoa | riskterminator | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:ecoa:ecs_router_controller-ecs_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "E80292D1-E3AD-42B6-A63E-3546010B97A3", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:ecoa:ecs_router_controller-ecs:-:*:*:*:*:*:*:*", matchCriteriaId: "541B6C82-F00E-4BFC-9947-A55B2F4EDD06", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:ecoa:riskbuster_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "19A28430-AB2B-423F-82D4-FC0E3A6DF335", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:ecoa:riskbuster:-:*:*:*:*:*:*:*", matchCriteriaId: "58A6F2A4-A7DA-4A88-B572-917FFC80ADC1", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:ecoa:riskterminator:-:*:*:*:*:*:*:*", matchCriteriaId: "841DF575-8E63-4AB4-A6F9-77C28FC65BCE", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "ECOA BAS controller stores sensitive data (backup exports) in clear-text, thus the unauthenticated attacker can remotely query user password and obtain user’s privilege.", }, { lang: "es", value: "El controlador ECOA BAS almacena datos confidenciales (exportaciones de copias de seguridad) en texto sin cifrar, por lo que un atacante no autenticado puede consultar remotamente la contraseña del usuario y alcanzar sus privilegios", }, ], id: "CVE-2021-41302", lastModified: "2024-11-21T06:26:00.130", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.3, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.4, source: "twcert@cert.org.tw", type: "Secondary", }, ], }, published: "2021-09-30T11:15:08.033", references: [ { source: "twcert@cert.org.tw", tags: [ "Third Party Advisory", ], url: "https://www.twcert.org.tw/tw/cp-132-5138-d40ae-1.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.twcert.org.tw/tw/cp-132-5138-d40ae-1.html", }, ], sourceIdentifier: "twcert@cert.org.tw", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-311", }, ], source: "twcert@cert.org.tw", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-312", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-09-30 11:15
Modified
2024-11-21 06:25
Severity ?
Summary
ECOA BAS controller suffers from an arbitrary file write and path traversal vulnerability. Using the POST parameters, unauthenticated attackers can remotely set arbitrary values for location and content type and gain the possibility to execute arbitrary code on the affected device.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| twcert@cert.org.tw | https://www.twcert.org.tw/tw/cp-132-5126-ca315-1.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.twcert.org.tw/tw/cp-132-5126-ca315-1.html | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ecoa | ecs_router_controller-ecs_firmware | - | |
| ecoa | ecs_router_controller-ecs | - | |
| ecoa | riskbuster_firmware | - | |
| ecoa | riskbuster | - | |
| ecoa | riskterminator | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:ecoa:ecs_router_controller-ecs_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "E80292D1-E3AD-42B6-A63E-3546010B97A3", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:ecoa:ecs_router_controller-ecs:-:*:*:*:*:*:*:*", matchCriteriaId: "541B6C82-F00E-4BFC-9947-A55B2F4EDD06", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:ecoa:riskbuster_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "19A28430-AB2B-423F-82D4-FC0E3A6DF335", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:ecoa:riskbuster:-:*:*:*:*:*:*:*", matchCriteriaId: "58A6F2A4-A7DA-4A88-B572-917FFC80ADC1", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:ecoa:riskterminator:-:*:*:*:*:*:*:*", matchCriteriaId: "841DF575-8E63-4AB4-A6F9-77C28FC65BCE", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "ECOA BAS controller suffers from an arbitrary file write and path traversal vulnerability. Using the POST parameters, unauthenticated attackers can remotely set arbitrary values for location and content type and gain the possibility to execute arbitrary code on the affected device.", }, { lang: "es", value: "El controlador ECOA BAS sufre una vulnerabilidad de escritura de archivos arbitraria y de salto de ruta. usando los parámetros POST, unos atacantes no autenticados pueden establecer remotamente valores arbitrarios para la ubicación y el tipo de contenido y conseguir la posibilidad de ejecutar código arbitrario en el dispositivo afectado", }, ], id: "CVE-2021-41290", lastModified: "2024-11-21T06:25:58.507", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 10, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:N/AC:L/Au:N/C:C/I:C/A:C", version: "2.0", }, exploitabilityScore: 10, impactScore: 10, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "twcert@cert.org.tw", type: "Secondary", }, ], }, published: "2021-09-30T11:15:07.357", references: [ { source: "twcert@cert.org.tw", tags: [ "Third Party Advisory", ], url: "https://www.twcert.org.tw/tw/cp-132-5126-ca315-1.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.twcert.org.tw/tw/cp-132-5126-ca315-1.html", }, ], sourceIdentifier: "twcert@cert.org.tw", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-434", }, ], source: "twcert@cert.org.tw", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-22", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-09-30 11:15
Modified
2024-11-21 06:25
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
ECOA BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can remotely bypass authentication and disclose sensitive information and circumvent physical access controls in smart homes and buildings and manipulate HVAC.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| twcert@cert.org.tw | https://www.twcert.org.tw/tw/cp-132-5128-b075a-1.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.twcert.org.tw/tw/cp-132-5128-b075a-1.html | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ecoa | ecs_router_controller-ecs_firmware | - | |
| ecoa | ecs_router_controller-ecs | - | |
| ecoa | riskbuster_firmware | - | |
| ecoa | riskbuster | - | |
| ecoa | riskterminator | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:ecoa:ecs_router_controller-ecs_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "E80292D1-E3AD-42B6-A63E-3546010B97A3", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:ecoa:ecs_router_controller-ecs:-:*:*:*:*:*:*:*", matchCriteriaId: "541B6C82-F00E-4BFC-9947-A55B2F4EDD06", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:ecoa:riskbuster_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "19A28430-AB2B-423F-82D4-FC0E3A6DF335", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:ecoa:riskbuster:-:*:*:*:*:*:*:*", matchCriteriaId: "58A6F2A4-A7DA-4A88-B572-917FFC80ADC1", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:ecoa:riskterminator:-:*:*:*:*:*:*:*", matchCriteriaId: "841DF575-8E63-4AB4-A6F9-77C28FC65BCE", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "ECOA BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can remotely bypass authentication and disclose sensitive information and circumvent physical access controls in smart homes and buildings and manipulate HVAC.", }, { lang: "es", value: "El controlador ECOA BAS sufre de una vulnerabilidad de omisión de autenticación. Un atacante no autenticado, mediante el envenenamiento de cookies, puede omitir la autenticación de forma remota y divulgar información confidencial, así como omitir los controles de acceso físico en casas y edificios inteligentes y manipular HVAC", }, ], id: "CVE-2021-41292", lastModified: "2024-11-21T06:25:58.770", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 6.4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "twcert@cert.org.tw", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.2, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-09-30T11:15:07.477", references: [ { source: "twcert@cert.org.tw", tags: [ "Third Party Advisory", ], url: "https://www.twcert.org.tw/tw/cp-132-5128-b075a-1.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.twcert.org.tw/tw/cp-132-5128-b075a-1.html", }, ], sourceIdentifier: "twcert@cert.org.tw", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-288", }, ], source: "twcert@cert.org.tw", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-287", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }