Skip to main content

Ecs Router Controller Ecs Firmware CVE-2021-41293

HIGH
Path Traversal (CWE-22)
2021-09-30 twcert@cert.org.tw
7.5
CVSS 3.1 · Vendor: cert
Share

Severity by source

Vendor (cert) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from Vendor (cert) · only source for this CVE.

CVSS VectorVendor: cert

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Sep 30, 2021 - 11:15 cve.org
HIGH 7.5

DescriptionCVE.org

ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. Using the specific POST parameter, unauthenticated attackers can remotely disclose arbitrary files on the affected device and disclose sensitive and system information.

AnalysisAI

ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. Using the specific POST parameter, unauthenticated attackers can remotely disclose arbitrary files on the affected device and disclose sensitive and system information. Affected products include: Ecoa Ecs Router Controller-Ecs Firmware, Ecoa Riskbuster Firmware, Ecoa Riskterminator.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.

CVE-2021-41291 HIGH POC
7.5 Sep 30

ECOA BAS controller suffers from a path traversal content disclosure vulnerability. Rated high severity (CVSS 7.5), this

CVE-2021-41301 CRITICAL
9.8 Sep 30

ECOA BAS controller is vulnerable to configuration disclosure when direct object reference is made to the specific files

CVE-2021-41300 CRITICAL
9.8 Sep 30

ECOA BAS controller’s special page displays user account and passwords in plain text, thus unauthenticated attackers can

CVE-2021-41299 CRITICAL
9.8 Sep 30

ECOA BAS controller is vulnerable to hard-coded credentials within its Linux distribution image, thus remote attackers c

CVE-2021-41296 CRITICAL
9.8 Sep 30

ECOA BAS controller uses weak set of default administrative credentials that can be easily guessed in remote password at

CVE-2021-41290 CRITICAL
9.8 Sep 30

ECOA BAS controller suffers from an arbitrary file write and path traversal vulnerability. Rated critical severity (CVSS

CVE-2021-41294 CRITICAL
9.1 Sep 30

ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files deletion. Rated critical severi

CVE-2021-41292 CRITICAL
9.1 Sep 30

ECOA BAS controller suffers from an authentication bypass vulnerability. Rated critical severity (CVSS 9.1), this vulner

CVE-2021-41298 HIGH
8.8 Sep 30

ECOA BAS controller is vulnerable to insecure direct object references that occur when the application provides direct a

CVE-2021-41297 HIGH
8.8 Sep 30

ECOA BAS controller is vulnerable to weak access control mechanism allowing authenticated user to remotely escalate priv

CVE-2021-41295 HIGH
8.8 Sep 30

ECOA BAS controller has a Cross-Site Request Forgery vulnerability, thus authenticated attacker can remotely place a for

CVE-2021-41302 HIGH
7.3 Sep 30

ECOA BAS controller stores sensitive data (backup exports) in clear-text, thus the unauthenticated attacker can remotely

Share

CVE-2021-41293 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy