Security
Headlines
HeadlinesLatestCVEs

Headline

ECOA Building Automation System Local File Disclosure Vulnerability

The BAS controller suffers from an arbitrary file disclosure vulnerability. Using the ‘fname’ POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.

Zero Science Lab

Related news

Apple macOS Flaw Allows Kernel-Level Compromise

‘Shrootless’ allows bypass of System Integrity Protection IT security measures to install a malicious rootkit that goes undetected and performs arbitrary device operations.

CVE-2020-25872: FrogCMSv0.9.5 Directory Traversal Vulnerability · Issue #34 · philippe/FrogCMS

A vulnerability exists within the FileManagerController.php function in FrogCMS 0.9.5 which allows an attacker to perform a directory traversal attack via a GET request urlencode parameter.

CVE-2021-41294: TWCERT/CC台灣電腦網路危機處理暨協調中心-ECOA BAS controller - Path Traversal-4

ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files deletion. Using the specific GET parameter, unauthenticated attackers can remotely delete arbitrary files on the affected device and cause denial of service scenario.

CVE-2021-41290: TWCERT/CC台灣電腦網路危機處理暨協調中心-ECOA BAS controller - Path Traversal-1

ECOA BAS controller suffers from an arbitrary file write and path traversal vulnerability. Using the POST parameters, unauthenticated attackers can remotely set arbitrary values for location and content type and gain the possibility to execute arbitrary code on the affected device.

CVE-2021-41291: TWCERT/CC台灣電腦網路危機處理暨協調中心-ECOA BAS controller - Path Traversal-2

ECOA BAS controller suffers from a path traversal content disclosure vulnerability. Using the GET parameter in File Manager, unauthenticated attackers can remotely disclose directory content on the affected device.

CVE-2021-41729: Bug Report: Multiple Arbitrary File Deletion vulnerabilities · Issue #3 · meiko-S/BaiCloud-cms

BaiCloud-cms v2.5.7 is affected by an arbitrary file deletion vulnerability, which allows an attacker to delete arbitrary files on the server through /user/ppsave.php.

CVE-2021-41293: TWCERT/CC台灣電腦網路危機處理暨協調中心-ECOA BAS controller - Path Traversal-3

ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. Using the specific POST parameter, unauthenticated attackers can remotely disclose arbitrary files on the affected device and disclose sensitive and system information.

ECOA Building Automation System Arbitrary File Deletion

The BAS controller suffers from an arbitrary file deletion vulnerability. Using the 'cfile' GET parameter in fmanerdel, attackers can delete arbitrary files on the affected device and cause denial of service scenario.