Skip to main content

Ecs Router Controller Ecs Firmware CVE-2021-41300

CRITICAL
Insufficiently Protected Credentials (CWE-522)
2021-09-30 twcert@cert.org.tw
9.8
CVSS 3.1 · Vendor: cert
Share

Severity by source

Vendor (cert) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (cert) · only source for this CVE.

CVSS VectorVendor: cert

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Sep 30, 2021 - 11:15 cve.org
CRITICAL 9.8

DescriptionCVE.org

ECOA BAS controller’s special page displays user account and passwords in plain text, thus unauthenticated attackers can access the page and obtain privilege with full functionality.

AnalysisAI

ECOA BAS controller’s special page displays user account and passwords in plain text, thus unauthenticated attackers can access the page and obtain privilege with full functionality. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Insufficiently Protected Credentials (CWE-522), which allows attackers to obtain user credentials due to weak protection mechanisms. ECOA BAS controller’s special page displays user account and passwords in plain text, thus unauthenticated attackers can access the page and obtain privilege with full functionality. Affected products include: Ecoa Ecs Router Controller-Ecs Firmware, Ecoa Riskbuster Firmware, Ecoa Riskterminator.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Hash passwords with strong algorithms (bcrypt, argon2), encrypt credentials in transit and at rest, never log credentials.

CVE-2021-41293 HIGH POC
7.5 Sep 30

ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. Rated high severity

CVE-2021-41291 HIGH POC
7.5 Sep 30

ECOA BAS controller suffers from a path traversal content disclosure vulnerability. Rated high severity (CVSS 7.5), this

CVE-2021-41301 CRITICAL
9.8 Sep 30

ECOA BAS controller is vulnerable to configuration disclosure when direct object reference is made to the specific files

CVE-2021-41299 CRITICAL
9.8 Sep 30

ECOA BAS controller is vulnerable to hard-coded credentials within its Linux distribution image, thus remote attackers c

CVE-2021-41296 CRITICAL
9.8 Sep 30

ECOA BAS controller uses weak set of default administrative credentials that can be easily guessed in remote password at

CVE-2021-41290 CRITICAL
9.8 Sep 30

ECOA BAS controller suffers from an arbitrary file write and path traversal vulnerability. Rated critical severity (CVSS

CVE-2021-41294 CRITICAL
9.1 Sep 30

ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files deletion. Rated critical severi

CVE-2021-41292 CRITICAL
9.1 Sep 30

ECOA BAS controller suffers from an authentication bypass vulnerability. Rated critical severity (CVSS 9.1), this vulner

CVE-2021-41298 HIGH
8.8 Sep 30

ECOA BAS controller is vulnerable to insecure direct object references that occur when the application provides direct a

CVE-2021-41297 HIGH
8.8 Sep 30

ECOA BAS controller is vulnerable to weak access control mechanism allowing authenticated user to remotely escalate priv

CVE-2021-41295 HIGH
8.8 Sep 30

ECOA BAS controller has a Cross-Site Request Forgery vulnerability, thus authenticated attacker can remotely place a for

CVE-2021-41302 HIGH
7.3 Sep 30

ECOA BAS controller stores sensitive data (backup exports) in clear-text, thus the unauthenticated attacker can remotely

Share

CVE-2021-41300 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy