Vulnerabilities > CVE-2021-41301 - Authorization Bypass Through User-Controlled Key vulnerability in Ecoa products

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
ecoa
CWE-639
critical

Summary

ECOA BAS controller is vulnerable to configuration disclosure when direct object reference is made to the specific files using an HTTP GET request. This will enable the unauthenticated attacker to remotely disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.

Vulnerable Configurations

Part Description Count
OS
Ecoa
2
Hardware
Ecoa
2
Application
Ecoa
1