CVE-2021-41290

Summary

ECOA BAS controller suffers from an arbitrary file write and path traversal vulnerability. Using the POST parameters, unauthenticated attackers can remotely set arbitrary values for location and content type and gain the possibility to execute arbitrary code on the affected device.

Affected Software

VendorProductVersion RangeStatus
ECOAECS Router Controller ECS (FLASH)next of 0 < unspecifiedunknown
ECOARiskBuster Terminator E6L45next of 0 < unspecifiedunknown
ECOARiskBuster System RB 3.0.0next of 0 < unspecifiedunknown
ECOARiskBuster System TRANE 1.0next of 0 < unspecifiedunknown
ECOAGraphic Control Softwarenext of 0 < unspecifiedunknown
ECOASmartHome II E9246next of 0 < unspecifiedunknown
ECOARiskTerminatornext of 0 < unspecifiedunknown

Weaknesses

  • CWE-434: CWE-434 Unrestricted Upload of File with Dangerous Type

ADP Enrichment

CVE Program Container

Additional References

References