CVE-2021-27198

An issue was discovered in Visualware MyConnection Server before v11.1a. Unauthenticated Remote Code Execution can occur via Arbitrary File Upload in the web service when using a myspeed/sf?filename= URI. This application is written in Java and is thus cross-platform. The Windows installation runs as SYSTEM, which means that exploitation gives one Administrator privileges on the target system.
Configurations

Configuration 1 (hide)

cpe:2.3:a:visualware:myconnection_server:*:*:*:*:*:*:*:*

History

21 Nov 2024, 05:57

Type Values Removed Values Added
References () http://packetstormsecurity.com/files/161571/VisualWare-MyConnection-Server-11.x-Remote-Code-Execution.html - Third Party Advisory, VDB Entry () http://packetstormsecurity.com/files/161571/VisualWare-MyConnection-Server-11.x-Remote-Code-Execution.html - Third Party Advisory, VDB Entry
References () http://seclists.org/fulldisclosure/2021/Feb/81 - Mailing List, Third Party Advisory () http://seclists.org/fulldisclosure/2021/Feb/81 - Mailing List, Third Party Advisory
References () https://myconnectionserver.visualware.com/download.html - Product, Vendor Advisory () https://myconnectionserver.visualware.com/download.html - Product, Vendor Advisory
References () https://myconnectionserver.visualware.com/support/newrelease.html - Release Notes, Vendor Advisory () https://myconnectionserver.visualware.com/support/newrelease.html - Release Notes, Vendor Advisory
References () https://www.securifera.com/advisories/cve-2021-27198/ - Third Party Advisory () https://www.securifera.com/advisories/cve-2021-27198/ - Third Party Advisory

14 Sep 2021, 16:39

Type Values Removed Values Added
CPE cpe:2.3:a:visualware:myconnection_server:11.0b:-:*:*:*:*:*:*
cpe:2.3:a:visualware:myconnection_server:11.0b:build5360:*:*:*:*:*:*
cpe:2.3:a:visualware:myconnection_server:11.0a:-:*:*:*:*:*:*
cpe:2.3:a:visualware:myconnection_server:11.0a:build5237:*:*:*:*:*:*
cpe:2.3:a:visualware:myconnection_server:11.0b:build5382:*:*:*:*:*:*
cpe:2.3:a:visualware:myconnection_server:11.0a:build5211:*:*:*:*:*:*
cpe:2.3:a:visualware:myconnection_server:11.0b:build5363:*:*:*:*:*:*
cpe:2.3:a:visualware:myconnection_server:11.0b:build5321:*:*:*:*:*:*
cpe:2.3:a:visualware:myconnection_server:11.0a:build5295:*:*:*:*:*:*
cpe:2.3:a:visualware:myconnection_server:*:*:*:*:*:*:*:*
References
  • (FULLDISC) http://seclists.org/fulldisclosure/2021/Feb/81 - Mailing List, Third Party Advisory

15 Jul 2021, 12:15

Type Values Removed Values Added
Summary An issue was discovered in Visualware MyConnection Server through 11.0b build 5382. Unauthenticated Remote Code Execution can occur via Arbitrary File Upload in the web service when using a myspeed/sf?filename= URI. This application is written in Java and is thus cross-platform. The Windows installation runs as SYSTEM, which means that exploitation gives one Administrator privileges on the target system. An issue was discovered in Visualware MyConnection Server before v11.1a. Unauthenticated Remote Code Execution can occur via Arbitrary File Upload in the web service when using a myspeed/sf?filename= URI. This application is written in Java and is thus cross-platform. The Windows installation runs as SYSTEM, which means that exploitation gives one Administrator privileges on the target system.

23 Jun 2021, 15:10

Type Values Removed Values Added
CPE cpe:2.3:a:visualware:myconnection_server:11.0a:build8237:*:*:*:*:*:* cpe:2.3:a:visualware:myconnection_server:11.0a:build5237:*:*:*:*:*:*

Information

Published : 2021-02-26 23:15

Updated : 2024-11-21 05:57


NVD link : CVE-2021-27198

Mitre link : CVE-2021-27198

CVE.ORG link : CVE-2021-27198


JSON object : View

Products Affected

visualware

  • myconnection_server
CWE
CWE-434

Unrestricted Upload of File with Dangerous Type