An issue was discovered in Visualware MyConnection Server before v11.1a. Unauthenticated Remote Code Execution can occur via Arbitrary File Upload in the web service when using a myspeed/sf?filename= URI. This application is written in Java and is thus cross-platform. The Windows installation runs as SYSTEM, which means that exploitation gives one Administrator privileges on the target system.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/161571/VisualWare-MyConnection-Server-11.x-Remote-Code-Execution.html | Third Party Advisory VDB Entry |
http://seclists.org/fulldisclosure/2021/Feb/81 | Mailing List Third Party Advisory |
https://myconnectionserver.visualware.com/download.html | Product Vendor Advisory |
https://myconnectionserver.visualware.com/support/newrelease.html | Release Notes Vendor Advisory |
https://www.securifera.com/advisories/cve-2021-27198/ | Third Party Advisory |
http://packetstormsecurity.com/files/161571/VisualWare-MyConnection-Server-11.x-Remote-Code-Execution.html | Third Party Advisory VDB Entry |
http://seclists.org/fulldisclosure/2021/Feb/81 | Mailing List Third Party Advisory |
https://myconnectionserver.visualware.com/download.html | Product Vendor Advisory |
https://myconnectionserver.visualware.com/support/newrelease.html | Release Notes Vendor Advisory |
https://www.securifera.com/advisories/cve-2021-27198/ | Third Party Advisory |
Configurations
History
21 Nov 2024, 05:57
Type | Values Removed | Values Added |
---|---|---|
References | () http://packetstormsecurity.com/files/161571/VisualWare-MyConnection-Server-11.x-Remote-Code-Execution.html - Third Party Advisory, VDB Entry | |
References | () http://seclists.org/fulldisclosure/2021/Feb/81 - Mailing List, Third Party Advisory | |
References | () https://myconnectionserver.visualware.com/download.html - Product, Vendor Advisory | |
References | () https://myconnectionserver.visualware.com/support/newrelease.html - Release Notes, Vendor Advisory | |
References | () https://www.securifera.com/advisories/cve-2021-27198/ - Third Party Advisory |
14 Sep 2021, 16:39
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:visualware:myconnection_server:11.0b:build5360:*:*:*:*:*:* cpe:2.3:a:visualware:myconnection_server:11.0a:-:*:*:*:*:*:* cpe:2.3:a:visualware:myconnection_server:11.0a:build5237:*:*:*:*:*:* cpe:2.3:a:visualware:myconnection_server:11.0b:build5382:*:*:*:*:*:* cpe:2.3:a:visualware:myconnection_server:11.0a:build5211:*:*:*:*:*:* cpe:2.3:a:visualware:myconnection_server:11.0b:build5363:*:*:*:*:*:* cpe:2.3:a:visualware:myconnection_server:11.0b:build5321:*:*:*:*:*:* cpe:2.3:a:visualware:myconnection_server:11.0a:build5295:*:*:*:*:*:* |
cpe:2.3:a:visualware:myconnection_server:*:*:*:*:*:*:*:* |
References |
|
15 Jul 2021, 12:15
Type | Values Removed | Values Added |
---|---|---|
Summary | An issue was discovered in Visualware MyConnection Server before v11.1a. Unauthenticated Remote Code Execution can occur via Arbitrary File Upload in the web service when using a myspeed/sf?filename= URI. This application is written in Java and is thus cross-platform. The Windows installation runs as SYSTEM, which means that exploitation gives one Administrator privileges on the target system. |
23 Jun 2021, 15:10
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:visualware:myconnection_server:11.0a:build5237:*:*:*:*:*:* |
Information
Published : 2021-02-26 23:15
Updated : 2024-11-21 05:57
NVD link : CVE-2021-27198
Mitre link : CVE-2021-27198
CVE.ORG link : CVE-2021-27198
JSON object : View
Products Affected
visualware
- myconnection_server
CWE
CWE-434
Unrestricted Upload of File with Dangerous Type