CVE-2021-41290

ECOA BAS controller - Path Traversal-1

CVSS 9.8 CRITICALEPSS 2.2%CWE-434

ECOA BAS controller suffers from an arbitrary file write and path traversal vulnerability. Using the POST parameters, unauthenticated attackers can remotely set arbitrary values for location and content type and gain the possibility to execute arbitrary code on the affected device.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

ECOA · ECS Router Controller ECS (FLASH)ECOA · Graphic Control Software ECOA · RiskBuster System RB 3.0.0 ECOA · RiskBuster System TRANE 1.0 ECOA · RiskBuster Terminator E6L45 ECOA · RiskTerminator ECOA · SmartHome II E9246

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.twcert.org.tw/tw/cp-132-5126-ca315-1.html