CVE-2021-41301
ECOA BAS controller - Exposure of Sensitive Information to an Unauthorized Actor
Severity Score
9.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
ECOA BAS controller is vulnerable to configuration disclosure when direct object reference is made to the specific files using an HTTP GET request. This will enable the unauthenticated attacker to remotely disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.
El controlador ECOA BAS es vulnerable a una divulgación de la configuración cuando se hace referencia directa a los archivos específicos mediante una petición HTTP GET. Esto permitirá al atacante no autenticado divulgar remotamente información confidencial y le ayudará a omitir la autenticación, escalar privilegios y conseguir acceso total al sistema
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2021-09-15 CVE Reserved
- 2021-09-30 CVE Published
- 2024-09-16 CVE Updated
- 2024-12-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-639: Authorization Bypass Through User-Controlled Key
CAPEC
References (1)
| URL | Tag | Source |
|---|---|---|
| https://www.twcert.org.tw/tw/cp-132-5137-730a6-1.html | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Ecoa Search vendor "Ecoa" | Ecs Router Controller-ecs Firmware Search vendor "Ecoa" for product "Ecs Router Controller-ecs Firmware" | - | - |
Affected
| in | Ecoa Search vendor "Ecoa" | Ecs Router Controller-ecs Search vendor "Ecoa" for product "Ecs Router Controller-ecs" | * | - |
Safe
|
| Ecoa Search vendor "Ecoa" | Riskbuster Firmware Search vendor "Ecoa" for product "Riskbuster Firmware" | - | - |
Affected
| in | Ecoa Search vendor "Ecoa" | Riskbuster Search vendor "Ecoa" for product "Riskbuster" | * | - |
Safe
|
| Ecoa Search vendor "Ecoa" | Riskterminator Search vendor "Ecoa" for product "Riskterminator" | - | - |
Affected
| ||||||