Security
Headlines
HeadlinesLatestCVEs

Headline

ECOA Building Automation System Configuration Download Information Disclosure

The BAS controller is vulnerable to configuration disclosure when direct object reference is made to the syspara.dat or images.dat files using an HTTP GET request. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.

Zero Science Lab

Related news

CVE-2021-41301: TWCERT/CC台灣電腦網路危機處理暨協調中心-ECOA BAS controller - Exposure of Sensitive Information to an Unauthorized Actor

ECOA BAS controller is vulnerable to configuration disclosure when direct object reference is made to the specific files using an HTTP GET request. This will enable the unauthenticated attacker to remotely disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.

FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Unauthenticated Config Download

The application is vulnerable to unauthenticated configuration disclosure when direct object reference is made to the backup archive file using an HTTP GET request. The only unknown part of the filename is the hostname of the system. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.