Vulnerabilities > Ecoa > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-09-30 | CVE-2021-41291 | Path Traversal vulnerability in Ecoa products ECOA BAS controller suffers from a path traversal content disclosure vulnerability. | 5.0 |
| 2021-09-30 | CVE-2021-41292 | Improper Authentication vulnerability in Ecoa products ECOA BAS controller suffers from an authentication bypass vulnerability. | 6.4 |
| 2021-09-30 | CVE-2021-41293 | Path Traversal vulnerability in Ecoa products ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. | 5.0 |
| 2021-09-30 | CVE-2021-41294 | Path Traversal vulnerability in Ecoa products ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files deletion. | 6.4 |
| 2021-09-30 | CVE-2021-41295 | Cross-Site Request Forgery (CSRF) vulnerability in Ecoa products ECOA BAS controller has a Cross-Site Request Forgery vulnerability, thus authenticated attacker can remotely place a forged request at a malicious web page and execute CRUD commands (GET, POST, PUT, DELETE) to perform arbitrary operations in the system. | 6.8 |
| 2021-09-30 | CVE-2021-41296 | Weak Password Requirements vulnerability in Ecoa products ECOA BAS controller uses weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system. | 5.0 |
| 2021-09-30 | CVE-2021-41297 | Insufficiently Protected Credentials vulnerability in Ecoa products ECOA BAS controller is vulnerable to weak access control mechanism allowing authenticated user to remotely escalate privileges by disclosing credentials of administrative accounts in plain-text. | 4.0 |
| 2021-09-30 | CVE-2021-41298 | Authorization Bypass Through User-Controlled Key vulnerability in Ecoa products ECOA BAS controller is vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. | 6.5 |
| 2021-09-30 | CVE-2021-41300 | Insufficiently Protected Credentials vulnerability in Ecoa products ECOA BAS controller’s special page displays user account and passwords in plain text, thus unauthenticated attackers can access the page and obtain privilege with full functionality. | 5.0 |
| 2021-09-30 | CVE-2021-41302 | Cleartext Storage of Sensitive Information vulnerability in Ecoa products ECOA BAS controller stores sensitive data (backup exports) in clear-text, thus the unauthenticated attacker can remotely query user password and obtain user’s privilege. | 5.0 |