CVE-2021-41290

ECOA BAS controller - Path Traversal-1

Description

ECOA BAS controller suffers from an arbitrary file write and path traversal vulnerability. Using the POST parameters, unauthenticated attackers can remotely set arbitrary values for location and content type and gain the possibility to execute arbitrary code on the affected device.

Remediation

Solution:

Contact tech support from ECOA.

References

Link	Tags
https://www.twcert.org.tw/tw/cp-132-5126-ca315-1.html	third party advisory

Frequently Asked Questions

What is the severity of CVE-2021-41290?: CVE-2021-41290 has been scored as a critical severity vulnerability.
How to fix CVE-2021-41290?: To fix CVE-2021-41290: Contact tech support from ECOA.
Is CVE-2021-41290 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2021-41290 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-41290?: CVE-2021-41290 affects ECOA ECS Router Controller ECS (FLASH), ECOA RiskBuster Terminator E6L45, ECOA RiskBuster System RB 3.0.0, ECOA RiskBuster System TRANE 1.0, ECOA Graphic Control Software, ECOA SmartHome II E9246, ECOA RiskTerminator.

Description

Remediation

Categories

CWE-434 – Unrestricted Upload of File with Dangerous Type

CWE-22 – Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

References

Frequently Asked Questions