mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-07-29 05:56:59 +00:00
161 lines
6.1 KiB
JSON
161 lines
6.1 KiB
JSON
{
|
|
"CVE_data_meta": {
|
|
"AKA": "TWCERT/CC",
|
|
"ASSIGNER": "cve@cert.org.tw",
|
|
"DATE_PUBLIC": "2021-09-30T10:13:00.000Z",
|
|
"ID": "CVE-2021-41290",
|
|
"STATE": "PUBLIC",
|
|
"TITLE": "ECOA BAS controller - Path Traversal-1"
|
|
},
|
|
"affects": {
|
|
"vendor": {
|
|
"vendor_data": [
|
|
{
|
|
"product": {
|
|
"product_data": [
|
|
{
|
|
"product_name": "ECS Router Controller ECS (FLASH)",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "?>",
|
|
"version_value": "0"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"product_name": "RiskBuster Terminator E6L45",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "?>",
|
|
"version_value": "0"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"product_name": "RiskBuster System RB 3.0.0",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "?>",
|
|
"version_value": "0"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"product_name": "RiskBuster System TRANE 1.0",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "?>",
|
|
"version_value": "0"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"product_name": "Graphic Control Software",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "?>",
|
|
"version_value": "0"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"product_name": "SmartHome II E9246",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "?>",
|
|
"version_value": "0"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"product_name": "RiskTerminator",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_affected": "?>",
|
|
"version_value": "0"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"vendor_name": "ECOA"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"data_format": "MITRE",
|
|
"data_type": "CVE",
|
|
"data_version": "4.0",
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "ECOA BAS controller suffers from an arbitrary file write and path traversal vulnerability. Using the POST parameters, unauthenticated attackers can remotely set arbitrary values for location and content type and gain the possibility to execute arbitrary code on the affected device."
|
|
}
|
|
]
|
|
},
|
|
"generator": {
|
|
"engine": "Vulnogram 0.0.9"
|
|
},
|
|
"impact": {
|
|
"cvss": {
|
|
"attackComplexity": "LOW",
|
|
"attackVector": "NETWORK",
|
|
"availabilityImpact": "HIGH",
|
|
"baseScore": 9.8,
|
|
"baseSeverity": "CRITICAL",
|
|
"confidentialityImpact": "HIGH",
|
|
"integrityImpact": "HIGH",
|
|
"privilegesRequired": "NONE",
|
|
"scope": "UNCHANGED",
|
|
"userInteraction": "NONE",
|
|
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
|
"version": "3.1"
|
|
}
|
|
},
|
|
"problemtype": {
|
|
"problemtype_data": [
|
|
{
|
|
"description": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "CWE-434 Unrestricted Upload of File with Dangerous Type"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"references": {
|
|
"reference_data": [
|
|
{
|
|
"refsource": "MISC",
|
|
"url": "https://www.twcert.org.tw/tw/cp-132-5126-ca315-1.html",
|
|
"name": "https://www.twcert.org.tw/tw/cp-132-5126-ca315-1.html"
|
|
}
|
|
]
|
|
},
|
|
"solution": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "Contact tech support from ECOA."
|
|
}
|
|
],
|
|
"source": {
|
|
"advisory": "TVN-202109006",
|
|
"discovery": "EXTERNAL"
|
|
}
|
|
} |