Vulnerabilities > Ecoa

DATE CVE VULNERABILITY TITLE RISK
2021-09-30 CVE-2021-41300 Insufficiently Protected Credentials vulnerability in Ecoa products
ECOA BAS controller’s special page displays user account and passwords in plain text, thus unauthenticated attackers can access the page and obtain privilege with full functionality.
network
low complexity
ecoa CWE-522
critical
9.8
2021-09-30 CVE-2021-41301 Authorization Bypass Through User-Controlled Key vulnerability in Ecoa products
ECOA BAS controller is vulnerable to configuration disclosure when direct object reference is made to the specific files using an HTTP GET request.
network
low complexity
ecoa CWE-639
critical
9.8
2021-09-30 CVE-2021-41302 Cleartext Storage of Sensitive Information vulnerability in Ecoa products
ECOA BAS controller stores sensitive data (backup exports) in clear-text, thus the unauthenticated attacker can remotely query user password and obtain user’s privilege.
network
low complexity
ecoa CWE-312
7.3