CVE-2021-41291

Summary

ECOA BAS controller suffers from a path traversal content disclosure vulnerability. Using the GET parameter in File Manager, unauthenticated attackers can remotely disclose directory content on the affected device.

Affected Software

VendorProductVersion RangeStatus
ECOAECS Router Controller ECS (FLASH)next of 0 < unspecifiedunknown
ECOARiskBuster Terminator E6L45next of 0 < unspecifiedunknown
ECOARiskBuster System RB 3.0.0next of 0 < unspecifiedunknown
ECOARiskBuster System TRANE 1.0next of 0 < unspecifiedunknown
ECOAGraphic Control Softwarenext of 0 < unspecifiedunknown
ECOASmartHome II E9246next of 0 < unspecifiedunknown
ECOARiskTerminatornext of 0 < unspecifiedunknown

Weaknesses

  • CWE-22: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ADP Enrichment

CVE Program Container

Additional References

References