ECOA BAS controller is vulnerable to configuration disclosure when direct object reference is made to the specific files using an HTTP GET request. This will enable the unauthenticated attacker to remotely disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.
References
Link | Resource |
---|---|
https://www.twcert.org.tw/tw/cp-132-5137-730a6-1.html | Third Party Advisory |
Configurations
Configuration 1 (hide)
AND |
|
Configuration 2 (hide)
AND |
|
Configuration 3 (hide)
|
History
07 Oct 2021, 14:19
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:h:ecoa:ecs_router_controller-ecs:*:*:*:*:*:*:*:* cpe:2.3:a:ecoa:riskterminator:-:*:*:*:*:*:*:* cpe:2.3:o:ecoa:riskbuster_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:ecoa:ecs_router_controller-ecs_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:ecoa:riskbuster:*:*:*:*:*:*:*:* |
|
CWE | CWE-639 | |
References | (MISC) https://www.twcert.org.tw/tw/cp-132-5137-730a6-1.html - Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : 10.0
v3 : 9.8 |
30 Sep 2021, 11:39
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-09-30 11:15
Updated : 2024-02-04 22:08
NVD link : CVE-2021-41301
Mitre link : CVE-2021-41301
CVE.ORG link : CVE-2021-41301
JSON object : View
Products Affected
ecoa
- riskterminator
- riskbuster
- riskbuster_firmware
- ecs_router_controller-ecs
- ecs_router_controller-ecs_firmware