CVE-2021-41293

Summary

ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. Using the specific POST parameter, unauthenticated attackers can remotely disclose arbitrary files on the affected device and disclose sensitive and system information.

Affected Software

VendorProductVersion RangeStatus
ECOAECS Router Controller ECS (FLASH)next of 0 < unspecifiedunknown
ECOARiskBuster Terminator E6L45next of 0 < unspecifiedunknown
ECOARiskBuster System RB 3.0.0next of 0 < unspecifiedunknown
ECOARiskBuster System TRANE 1.0next of 0 < unspecifiedunknown
ECOAGraphic Control Softwarenext of 0 < unspecifiedunknown
ECOASmartHome II E9246next of 0 < unspecifiedunknown
ECOARiskTerminatornext of 0 < unspecifiedunknown

Weaknesses

  • CWE-22: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ADP Enrichment

CVE Program Container

Additional References

References