CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Ecoa » Riskterminator » * * * : Security Vulnerabilities

Cpe Name:cpe:2.3:a:ecoa:riskterminator:-:*:*:*:*:*:*:*
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-41302 311 2021-09-30 2021-10-07
5.0
None Remote Low Not required Partial None None
ECOA BAS controller stores sensitive data (backup exports) in clear-text, thus the unauthenticated attacker can remotely query user password and obtain user’s privilege.
2 CVE-2021-41301 639 Bypass 2021-09-30 2021-10-07
10.0
None Remote Low Not required Complete Complete Complete
ECOA BAS controller is vulnerable to configuration disclosure when direct object reference is made to the specific files using an HTTP GET request. This will enable the unauthenticated attacker to remotely disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.
3 CVE-2021-41300 522 2021-09-30 2021-10-07
5.0
None Remote Low Not required Partial None None
ECOA BAS controller’s special page displays user account and passwords in plain text, thus unauthenticated attackers can access the page and obtain privilege with full functionality.
4 CVE-2021-41299 798 2021-09-30 2021-10-07
10.0
None Remote Low Not required Complete Complete Complete
ECOA BAS controller is vulnerable to hard-coded credentials within its Linux distribution image, thus remote attackers can obtain administrator’s privilege without logging in.
5 CVE-2021-41298 639 Bypass 2021-09-30 2021-10-07
6.5
None Remote Low ??? Partial Partial Partial
ECOA BAS controller is vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers with general user's privilege can remotely bypass authorization and access the hidden resources in the system and execute privileged functionalities.
6 CVE-2021-41297 522 2021-09-30 2021-10-07
4.0
None Remote Low ??? Partial None None
ECOA BAS controller is vulnerable to weak access control mechanism allowing authenticated user to remotely escalate privileges by disclosing credentials of administrative accounts in plain-text.
7 CVE-2021-41296 521 2021-09-30 2021-10-07
5.0
None Remote Low Not required Partial None None
ECOA BAS controller uses weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system.
8 CVE-2021-41295 352 Exec Code CSRF 2021-09-30 2021-10-07
6.8
None Remote Medium Not required Partial Partial Partial
ECOA BAS controller has a Cross-Site Request Forgery vulnerability, thus authenticated attacker can remotely place a forged request at a malicious web page and execute CRUD commands (GET, POST, PUT, DELETE) to perform arbitrary operations in the system.
9 CVE-2021-41294 22 DoS Dir. Trav. 2021-09-30 2021-10-07
6.4
None Remote Low Not required None Partial Partial
ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files deletion. Using the specific GET parameter, unauthenticated attackers can remotely delete arbitrary files on the affected device and cause denial of service scenario.
10 CVE-2021-41293 22 Dir. Trav. 2021-09-30 2021-10-07
5.0
None Remote Low Not required Partial None None
ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. Using the specific POST parameter, unauthenticated attackers can remotely disclose arbitrary files on the affected device and disclose sensitive and system information.
11 CVE-2021-41292 288 Bypass 2021-09-30 2021-10-07
6.4
None Remote Low Not required Partial Partial None
ECOA BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can remotely bypass authentication and disclose sensitive information and circumvent physical access controls in smart homes and buildings and manipulate HVAC.
12 CVE-2021-41291 22 Dir. Trav. 2021-09-30 2021-10-07
5.0
None Remote Low Not required Partial None None
ECOA BAS controller suffers from a path traversal content disclosure vulnerability. Using the GET parameter in File Manager, unauthenticated attackers can remotely disclose directory content on the affected device.
13 CVE-2021-41290 434 Exec Code 2021-09-30 2021-10-07
10.0
None Remote Low Not required Complete Complete Complete
ECOA BAS controller suffers from an arbitrary file write and path traversal vulnerability. Using the POST parameters, unauthenticated attackers can remotely set arbitrary values for location and content type and gain the possibility to execute arbitrary code on the affected device.
Total number of vulnerabilities : 13   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.