Skip to main content

Ecs Router Controller Ecs Firmware CVE-2021-41294

CRITICAL
Path Traversal (CWE-22)
2021-09-30 twcert@cert.org.tw
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Sep 30, 2021 - 11:15 nvd
CRITICAL 9.1

DescriptionNVD

ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files deletion. Using the specific GET parameter, unauthenticated attackers can remotely delete arbitrary files on the affected device and cause denial of service scenario.

AnalysisAI

ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files deletion. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files deletion. Using the specific GET parameter, unauthenticated attackers can remotely delete arbitrary files on the affected device and cause denial of service scenario. Affected products include: Ecoa Ecs Router Controller-Ecs Firmware, Ecoa Riskbuster Firmware, Ecoa Riskterminator.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.

CVE-2021-41293 HIGH POC
7.5 Sep 30

ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. Rated high severity

CVE-2021-41291 HIGH POC
7.5 Sep 30

ECOA BAS controller suffers from a path traversal content disclosure vulnerability. Rated high severity (CVSS 7.5), this

CVE-2021-41301 CRITICAL
9.8 Sep 30

ECOA BAS controller is vulnerable to configuration disclosure when direct object reference is made to the specific files

CVE-2021-41300 CRITICAL
9.8 Sep 30

ECOA BAS controller’s special page displays user account and passwords in plain text, thus unauthenticated attackers can

CVE-2021-41299 CRITICAL
9.8 Sep 30

ECOA BAS controller is vulnerable to hard-coded credentials within its Linux distribution image, thus remote attackers c

CVE-2021-41296 CRITICAL
9.8 Sep 30

ECOA BAS controller uses weak set of default administrative credentials that can be easily guessed in remote password at

CVE-2021-41290 CRITICAL
9.8 Sep 30

ECOA BAS controller suffers from an arbitrary file write and path traversal vulnerability. Rated critical severity (CVSS

CVE-2021-41292 CRITICAL
9.1 Sep 30

ECOA BAS controller suffers from an authentication bypass vulnerability. Rated critical severity (CVSS 9.1), this vulner

CVE-2021-41298 HIGH
8.8 Sep 30

ECOA BAS controller is vulnerable to insecure direct object references that occur when the application provides direct a

CVE-2021-41297 HIGH
8.8 Sep 30

ECOA BAS controller is vulnerable to weak access control mechanism allowing authenticated user to remotely escalate priv

CVE-2021-41295 HIGH
8.8 Sep 30

ECOA BAS controller has a Cross-Site Request Forgery vulnerability, thus authenticated attacker can remotely place a for

CVE-2021-41302 HIGH
7.3 Sep 30

ECOA BAS controller stores sensitive data (backup exports) in clear-text, thus the unauthenticated attacker can remotely

Share

CVE-2021-41294 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy