cvelist/2021/41xxx/CVE-2021-41290.json

{
    "CVE_data_meta": {
        "AKA": "TWCERT/CC",
        "ASSIGNER": "cve@cert.org.tw",
        "DATE_PUBLIC": "2021-09-30T10:13:00.000Z",
        "ID": "CVE-2021-41290",
        "STATE": "PUBLIC",
        "TITLE": "ECOA BAS controller - Path Traversal-1"
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "product": {
                        "product_data": [
                            {
                                "product_name": "ECS Router Controller ECS (FLASH)",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "?>",
                                            "version_value": "0"
                                        }
                                    ]
                                }
                            },
                            {
                                "product_name": "RiskBuster Terminator E6L45",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "?>",
                                            "version_value": "0"
                                        }
                                    ]
                                }
                            },
                            {
                                "product_name": "RiskBuster System RB 3.0.0",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "?>",
                                            "version_value": "0"
                                        }
                                    ]
                                }
                            },
                            {
                                "product_name": "RiskBuster System TRANE 1.0",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "?>",
                                            "version_value": "0"
                                        }
                                    ]
                                }
                            },
                            {
                                "product_name": "Graphic Control Software",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "?>",
                                            "version_value": "0"
                                        }
                                    ]
                                }
                            },
                            {
                                "product_name": "SmartHome II E9246",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "?>",
                                            "version_value": "0"
                                        }
                                    ]
                                }
                            },
                            {
                                "product_name": "RiskTerminator",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "?>",
                                            "version_value": "0"
                                        }
                                    ]
                                }
                            }
                        ]
                    },
                    "vendor_name": "ECOA"
                }
            ]
        }
    },
    "data_format": "MITRE",
    "data_type": "CVE",
    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "ECOA BAS controller suffers from an arbitrary file write and path traversal vulnerability. Using the POST parameters, unauthenticated attackers can remotely set arbitrary values for location and content type and gain the possibility to execute arbitrary code on the affected device."
            }
        ]
    },
    "generator": {
        "engine": "Vulnogram 0.0.9"
    },
    "impact": {
        "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
        }
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "CWE-434 Unrestricted Upload of File with Dangerous Type"
                    }
                ]
            }
        ]
    },
    "references": {
        "reference_data": [
            {
                "refsource": "MISC",
                "url": "https://www.twcert.org.tw/tw/cp-132-5126-ca315-1.html",
                "name": "https://www.twcert.org.tw/tw/cp-132-5126-ca315-1.html"
            }
        ]
    },
    "solution": [
        {
            "lang": "eng",
            "value": "Contact tech support from ECOA."
        }
    ],
    "source": {
        "advisory": "TVN-202109006",
        "discovery": "EXTERNAL"
    }
}
"-Synchronized-Data." 2021-09-15 21:00:52 +00:00			`{`
			`"CVE_data_meta": {`
Add TWCERT/CC CVE-2021-41290 CVE-2021-41291 CVE-2021-41292 CVE-2021-41293 CVE-2021-41294 CVE-2021-41295 CVE-2021-41296 CVE-2021-41297 CVE-2021-41298 CVE-2021-41299 CVE-2021-41300 CVE-2021-41301 CVE-2021-41302 2021-09-30 18:38:00 +08:00			`"AKA": "TWCERT/CC",`
			`"ASSIGNER": "cve@cert.org.tw",`
			`"DATE_PUBLIC": "2021-09-30T10:13:00.000Z",`
"-Synchronized-Data." 2021-09-15 21:00:52 +00:00			`"ID": "CVE-2021-41290",`
Add TWCERT/CC CVE-2021-41290 CVE-2021-41291 CVE-2021-41292 CVE-2021-41293 CVE-2021-41294 CVE-2021-41295 CVE-2021-41296 CVE-2021-41297 CVE-2021-41298 CVE-2021-41299 CVE-2021-41300 CVE-2021-41301 CVE-2021-41302 2021-09-30 18:38:00 +08:00			`"STATE": "PUBLIC",`
			`"TITLE": "ECOA BAS controller - Path Traversal-1"`
"-Synchronized-Data." 2021-09-15 21:00:52 +00:00			`},`
Add TWCERT/CC CVE-2021-41290 CVE-2021-41291 CVE-2021-41292 CVE-2021-41293 CVE-2021-41294 CVE-2021-41295 CVE-2021-41296 CVE-2021-41297 CVE-2021-41298 CVE-2021-41299 CVE-2021-41300 CVE-2021-41301 CVE-2021-41302 2021-09-30 18:38:00 +08:00			`"affects": {`
			`"vendor": {`
			`"vendor_data": [`
			`{`
			`"product": {`
			`"product_data": [`
			`{`
			`"product_name": "ECS Router Controller ECS (FLASH)",`
			`"version": {`
			`"version_data": [`
			`{`
			`"version_affected": "?>",`
			`"version_value": "0"`
			`}`
			`]`
			`}`
			`},`
			`{`
			`"product_name": "RiskBuster Terminator E6L45",`
			`"version": {`
			`"version_data": [`
			`{`
			`"version_affected": "?>",`
			`"version_value": "0"`
			`}`
			`]`
			`}`
			`},`
			`{`
			`"product_name": "RiskBuster System RB 3.0.0",`
			`"version": {`
			`"version_data": [`
			`{`
			`"version_affected": "?>",`
			`"version_value": "0"`
			`}`
			`]`
			`}`
			`},`
			`{`
			`"product_name": "RiskBuster System TRANE 1.0",`
			`"version": {`
			`"version_data": [`
			`{`
			`"version_affected": "?>",`
			`"version_value": "0"`
			`}`
			`]`
			`}`
			`},`
			`{`
			`"product_name": "Graphic Control Software",`
			`"version": {`
			`"version_data": [`
			`{`
			`"version_affected": "?>",`
			`"version_value": "0"`
			`}`
			`]`
			`}`
			`},`
			`{`
			`"product_name": "SmartHome II E9246",`
			`"version": {`
			`"version_data": [`
			`{`
			`"version_affected": "?>",`
			`"version_value": "0"`
			`}`
			`]`
			`}`
			`},`
			`{`
			`"product_name": "RiskTerminator",`
			`"version": {`
			`"version_data": [`
			`{`
			`"version_affected": "?>",`
			`"version_value": "0"`
			`}`
			`]`
			`}`
			`}`
			`]`
			`},`
			`"vendor_name": "ECOA"`
			`}`
			`]`
			`}`
			`},`
			`"data_format": "MITRE",`
			`"data_type": "CVE",`
			`"data_version": "4.0",`
"-Synchronized-Data." 2021-09-15 21:00:52 +00:00			`"description": {`
			`"description_data": [`
			`{`
			`"lang": "eng",`
Add TWCERT/CC CVE-2021-41290 CVE-2021-41291 CVE-2021-41292 CVE-2021-41293 CVE-2021-41294 CVE-2021-41295 CVE-2021-41296 CVE-2021-41297 CVE-2021-41298 CVE-2021-41299 CVE-2021-41300 CVE-2021-41301 CVE-2021-41302 2021-09-30 18:38:00 +08:00			`"value": "ECOA BAS controller suffers from an arbitrary file write and path traversal vulnerability. Using the POST parameters, unauthenticated attackers can remotely set arbitrary values for location and content type and gain the possibility to execute arbitrary code on the affected device."`
			`}`
			`]`
			`},`
			`"generator": {`
			`"engine": "Vulnogram 0.0.9"`
			`},`
			`"impact": {`
			`"cvss": {`
			`"attackComplexity": "LOW",`
			`"attackVector": "NETWORK",`
			`"availabilityImpact": "HIGH",`
			`"baseScore": 9.8,`
			`"baseSeverity": "CRITICAL",`
			`"confidentialityImpact": "HIGH",`
			`"integrityImpact": "HIGH",`
			`"privilegesRequired": "NONE",`
			`"scope": "UNCHANGED",`
			`"userInteraction": "NONE",`
			`"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",`
			`"version": "3.1"`
			`}`
			`},`
			`"problemtype": {`
			`"problemtype_data": [`
			`{`
			`"description": [`
			`{`
			`"lang": "eng",`
			`"value": "CWE-434 Unrestricted Upload of File with Dangerous Type"`
			`}`
			`]`
"-Synchronized-Data." 2021-09-15 21:00:52 +00:00			`}`
			`]`
Add TWCERT/CC CVE-2021-41290 CVE-2021-41291 CVE-2021-41292 CVE-2021-41293 CVE-2021-41294 CVE-2021-41295 CVE-2021-41296 CVE-2021-41297 CVE-2021-41298 CVE-2021-41299 CVE-2021-41300 CVE-2021-41301 CVE-2021-41302 2021-09-30 18:38:00 +08:00			`},`
			`"references": {`
			`"reference_data": [`
			`{`
"-Synchronized-Data." 2021-09-30 11:01:02 +00:00			`"refsource": "MISC",`
			`"url": "https://www.twcert.org.tw/tw/cp-132-5126-ca315-1.html",`
			`"name": "https://www.twcert.org.tw/tw/cp-132-5126-ca315-1.html"`
Add TWCERT/CC CVE-2021-41290 CVE-2021-41291 CVE-2021-41292 CVE-2021-41293 CVE-2021-41294 CVE-2021-41295 CVE-2021-41296 CVE-2021-41297 CVE-2021-41298 CVE-2021-41299 CVE-2021-41300 CVE-2021-41301 CVE-2021-41302 2021-09-30 18:38:00 +08:00			`}`
			`]`
			`},`
			`"solution": [`
			`{`
			`"lang": "eng",`
			`"value": "Contact tech support from ECOA."`
			`}`
			`],`
			`"source": {`
			`"advisory": "TVN-202109006",`
			`"discovery": "EXTERNAL"`
"-Synchronized-Data." 2021-09-15 21:00:52 +00:00			`}`
			`}`