CVE-2021-41295

🗓️ 30 Sep 2021 10:40:57Reported by twcertType

cve🔗 web.nvd.nist.gov👁 49 Views🌐 WEB

ECOA BAS controller has CSRF vulnerabilit

Reporter	Title	Published	Views	Family All 9
Circl	CVE-2021-41295	30 Sep 202114:37	–	circl
CNNVD	Ecoa Bas controller 跨站请求伪造漏洞	30 Sep 202100:00	–	cnnvd
CNVD	ECOA BAS controller cross-site request forgery vulnerability	8 Oct 202100:00	–	cnvd
Cvelist	CVE-2021-41295 ECOA BAS controller - Cross-Site Request Forgery (CSRF)	30 Sep 202110:40	–	cvelist
EUVD	EUVD-2021-28325	3 Oct 202520:07	–	euvd
NVD	CVE-2021-41295	30 Sep 202111:15	–	nvd
Prion	Cross site request forgery (csrf)	30 Sep 202111:15	–	prion
VulnCheck KEV	VulnCheck KEV: CVE-2021-41295	26 Nov 202400:00	–	vulncheck_kev
Zero Science Lab	ECOA Building Automation System Cross-Site Request Forgery	8 Sep 202100:00	–	zeroscience

NVD

Node

ecoa ecs_router_controller-ecs_firmwareMatch-

AND

ecoa ecs_router_controller-ecsMatch-

Node

ecoa riskbuster_firmwareMatch-

AND

ecoa riskbusterMatch-

Node

ecoa riskterminatorMatch-

[
  {
    "product": "ECS Router Controller ECS (FLASH)",
    "vendor": "ECOA",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "unknown",
        "version": "next of 0",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "RiskBuster Terminator E6L45",
    "vendor": "ECOA",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "unknown",
        "version": "next of 0",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "RiskBuster System RB 3.0.0",
    "vendor": "ECOA",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "unknown",
        "version": "next of 0",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "RiskBuster System TRANE 1.0",
    "vendor": "ECOA",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "unknown",
        "version": "next of 0",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Graphic Control Software",
    "vendor": "ECOA",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "unknown",
        "version": "next of 0",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "SmartHome II E9246",
    "vendor": "ECOA",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "unknown",
        "version": "next of 0",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "RiskTerminator",
    "vendor": "ECOA",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "unknown",
        "version": "next of 0",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
twcert	www.twcert.org.tw/tw/cp-132-5131-c653b-1.html

Parameter	Position	Path	Description	CWE
bk	request body	192.168.1.3:8080/usersave	Cross-Site Request Forgery enables forged requests to perform CRUD-like actions via the /usersave endpoint.	CWE-352
edtText	request body	192.168.1.3:8080/usersave	Cross-Site Request Forgery enables forged requests to perform CRUD-like actions via the /usersave endpoint.	CWE-352
comText	request body	192.168.1.3:8080/usersave	Cross-Site Request Forgery enables forged requests to perform CRUD-like actions via the /usersave endpoint.	CWE-352
delrow	request body	192.168.1.3:8080/usersave	Cross-Site Request Forgery enables forged requests to perform CRUD-like actions via the /usersave endpoint.	CWE-352
hiddenText	request body	192.168.1.3:8080/usersave	Cross-Site Request Forgery enables forged requests to perform CRUD-like actions via the /usersave endpoint.	CWE-352

21 Nov 2024 06:25Current

8.9High risk

Vulners AI Score8.9

CVSS 26.8

CVSS 3.18.8

EPSS0.0017

CWE-352