CVE-2021-41720
A command injection vulnerability in Lodash in 4.17.21 allows attackers to arbitrary code execution via the template function. NOTE: this is a different parameter, method, and version than CVE-2021-23337.
Source: CVE-2021-41720
[월:] 2021년 09월
CVE-2021-41729
CVE-2021-41729
BaiCloud-cms v2.5.7 is affected by an arbitrary file deletion vulnerability, which allows an attacker to delete arbitrary files on the server through /user/ppsave.php.
Source: CVE-2021-41729
CVE-2021-41302
CVE-2021-41302
ECOA BAS controller stores sensitive data (backup exports) in clear-text, thus the unauthenticated attacker can remotely query user password and obtain user’s privilege.
Source: CVE-2021-41302
CVE-2021-41300
CVE-2021-41300
ECOA BAS controller’s special page displays user account and passwords in plain text, thus unauthenticated attackers can access the page and obtain privilege with full functionality.
Source: CVE-2021-41300
CVE-2021-41290
CVE-2021-41290
ECOA BAS controller suffers from an arbitrary file write and path traversal vulnerability. Using the POST parameters, unauthenticated attackers can remotely set arbitrary values for location and content type and gain the possibility to execute arbitrary code on the affected device.
Source: CVE-2021-41290
CVE-2021-41291
CVE-2021-41291
ECOA BAS controller suffers from a path traversal content disclosure vulnerability. Using the GET parameter in File Manager, unauthenticated attackers can remotely disclose directory content on the affected device.
Source: CVE-2021-41291
CVE-2021-41292
CVE-2021-41292
ECOA BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can remotely bypass authentication and disclose sensitive information and circumvent physical access controls in smart homes and buildings and manipulate HVAC.
Source: CVE-2021-41292
CVE-2021-41293
CVE-2021-41293
ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. Using the specific POST parameter, unauthenticated attackers can remotely disclose arbitrary files on the affected device and disclose sensitive and system information.
Source: CVE-2021-41293
CVE-2021-41294
CVE-2021-41294
ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files deletion. Using the specific GET parameter, unauthenticated attackers can remotely delete arbitrary files on the affected device and cause denial of service scenario.
Source: CVE-2021-41294
CVE-2021-41295
CVE-2021-41295
ECOA BAS controller has a Cross-Site Request Forgery vulnerability, thus authenticated attacker can remotely place a forged request at a malicious web page and execute CRUD commands (GET, POST, PUT, DELETE) to perform arbitrary operations in the system.
Source: CVE-2021-41295