CVSS: 10.0EPSS: 5%CPEs: 1EXPL: 1CVE-2021-27198 – VisualWare MyConnection Server 11.0b Remote Code Execution
https://notcve.org/view.php?id=CVE-2021-27198
An issue was discovered in Visualware MyConnection Server before v11.1a. Unauthenticated Remote Code Execution can occur via Arbitrary File Upload in the web service when using a myspeed/sf?filename= URI. This application is written in Java and is thus cross-platform. The Windows installation runs as SYSTEM, which means that exploitation gives one Administrator privileges on the target system. • https://github.com/rwincey/CVE-2021-27198 http://packetstormsecurity.com/files/161571/VisualWare-MyConnection-Server-11.x-Remote-Code-Execution.html http://seclists.org/fulldisclosure/2021/Feb/81 https://myconnectionserver.visualware.com/download.html https://myconnectionserver.visualware.com/support/newrelease.html https://www.securifera.com/advisories/cve-2021-27198 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-27509
https://notcve.org/view.php?id=CVE-2021-27509
In Visualware MyConnection Server before 11.0b build 5382, each published report is not associated with its own access code. En Visualware MyConnection Server versiones anteriores a 11.0b build 5382, cada reporte publicado no está asociado con su propio código de acceso • https://myconnectionserver.visualware.com/support/newrelease.html • CWE-863: Incorrect Authorization •