TVN ID | TVN-202109017 |
---|---|
CVE ID | CVE-2021-41301 |
CVSS | 9.8 (Critical) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Affected Products | ECOA ECS Router Controller - ECS (FLASH) ECOA RiskBuster Terminator - E6L45 ECOA RiskBuster System - RB 3.0.0 ECOA RiskBuster System - TRANE 1.0 ECOA Graphic Control Software ECOA SmartHome II - E9246 ECOA RiskTerminator |
Description | ECOA BAS controller is vulnerable to configuration disclosure when direct object reference is made to the specific files using an HTTP GET request. This will enable the unauthenticated attacker to remotely disclose sensitive information and help her in authentication bypass, privilege escalation and full system access. |
Solution | Contact tech support from ECOA. |
Credit | Gjoko Krstic(Zero Science Lab) |
Public Date | 2021-09-30 |