CVE-2021-40661

2022-10-3112:15:10

CWE-22

[email protected]

web.nvd.nist.gov

vulnerability

directory traversal

unauthenticated access

ind780

weighing terminals

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.019

Percentile

88.7%

JSON

A remote, unauthenticated, directory traversal vulnerability was identified within the web interface used by IND780 Advanced Weighing Terminals Build 8.0.07 March 19, 2018 (SS Label ‘IND780_8.0.07’), Version 7.2.10 June 18, 2012 (SS Label ‘IND780_7.2.10’). It was possible to traverse the folders of the affected host by providing a traversal path to the ‘webpage’ parameter in AutoCE.ini This could allow a remote unauthenticated adversary to access additional files on the affected system. This could also allow the adversary to perform further enumeration against the affected host to identify the versions of the systems in use, in order to launch further attacks in future.

Affected configurations

Nvd

Node

mtind780Match-

AND

mtind780_firmwareMatch7.2.10

mtind780_firmwareMatch8.0.07

VendorProductVersionCPE
mtind780-cpe:2.3:h:mt:ind780:-:*:*:*:*:*:*:*
mtind780_firmware7.2.10cpe:2.3:o:mt:ind780_firmware:7.2.10:*:*:*:*:*:*:*
mtind780_firmware8.0.07cpe:2.3:o:mt:ind780_firmware:8.0.07:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mt	ind780	-	cpe:2.3:h:mt:ind780:-:::::::*
mt	ind780_firmware	7.2.10	cpe:2.3:o:mt:ind780_firmware:7.2.10:::::::*
mt	ind780_firmware	8.0.07	cpe:2.3:o:mt:ind780_firmware:8.0.07:::::::*

References

sidsecure.au/blog/cve-2021-40661/?_sm_pdc=1&_sm_rid=MRRqb4KBDnjBMJk24b40LMS3SKqPMqb4KVn32Kr

www.mt.com/au/en/home/products/Industrial_Weighing_Solutions/Terminals-and-Controllers/terminals-bench-floor-scales/advanced-bench-floor-applications/IND780/IND780_.html#overviewpm