Hardcoded credentials

ECOA BAS controller is vulnerable to hard-coded credentials within its Linux distribution image, thus remote attackers can obtain administrator’s privilege without logging in...

CVE-2021-41302 ECOA BAS controller - Missing Encryption of Sensitive Data

ECOA BAS controller stores sensitive data backup exports in clear-text, thus the unauthenticated attacker can remotely query user password and obtain user’s privilege...

CVE-2021-41302

CVE-2021-41302 affects ECOA BAS controller family (ECS Router Controller - ECS (FLASH); RiskBuster Terminator - E6L45; RiskBuster System RB 3.0.0; TRANE 1.0; Graphic Control Software; SmartHome II - E9246; RiskTerminator). The issue is that backup exports and other sensitive data are stored in cl...

CVE-2021-41301 ECOA BAS controller - Exposure of Sensitive Information to an Unauthorized Actor

ECOA BAS controller is vulnerable to configuration disclosure when direct object reference is made to the specific files using an HTTP GET request. This will enable the unauthenticated attacker to remotely disclose sensitive information and help her in authentication bypass, privilege escalation...

CVE-2021-41301

The CVE-2021-41301 issue affects ECOA BAS controller family (ECS Router Controller - ECS (FLASH); RiskBuster Terminator E6L45; RiskBuster System RB 3.0.0 / TRANE 1.0; and related ECOA software). Root cause: information disclosure via direct object reference to syspara.dat or images.dat when acces...

CVE-2021-41299 ECOA BAS controller - Use of Hard-coded Credentials

ECOA BAS controller is vulnerable to hard-coded credentials within its Linux distribution image, thus remote attackers can obtain administrator’s privilege without logging in...

CVE-2021-41297 ECOA BAS controller - Insufficiently Protected Credentials-1

ECOA BAS controller is vulnerable to weak access control mechanism allowing authenticated user to remotely escalate privileges by disclosing credentials of administrative accounts in plain-text...

CVE-2021-41296 ECOA BAS controller - Weak Password Requirements

ECOA BAS controller uses weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system...

CVE-2021-41295 ECOA BAS controller - Cross-Site Request Forgery (CSRF)

ECOA BAS controller has a Cross-Site Request Forgery vulnerability, thus authenticated attacker can remotely place a forged request at a malicious web page and execute CRUD commands GET, POST, PUT, DELETE to perform arbitrary operations in the system...

CVE-2021-41294

CVE-2021-41294 describes a directory traversal vulnerability in ECOA BAS controller (GET parameter handling) that enables unauthenticated remote deletion of arbitrary files and DoS. Concrete details across connected sources include affected ECOA products (ECS Router Controller ECS (FLASH), RiskBu...

CVE-2021-41293 ECOA BAS controller - Path Traversal-3

ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. Using the specific POST parameter, unauthenticated attackers can remotely disclose arbitrary files on the affected device and disclose sensitive and system information...

CVE-2021-41292 ECOA BAS controller - Broken Authentication

ECOA BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can remotely bypass authentication and disclose sensitive information and circumvent physical access controls in smart homes and buildings and manipulate HVAC...

CVE-2021-41291

CVE-2021-41291 affects ECOA Building Automation System BAS controllers. A directory-traversal vulnerability allows unauthenticated remote disclosure of device file contents by abusing the GET parameter (cpath in File Manager or fmangersub). Documented impact is disclosure of sensitive information...

CVE-2021-41291 ECOA BAS controller - Path Traversal-1

ECOA BAS controller suffers from a path traversal content disclosure vulnerability. Using the GET parameter in File Manager, unauthenticated attackers can remotely disclose directory content on the affected device...

CVE-2021-41290

The CVE-2021-41290 entry relates to ECOA BAS controller products (e.g., ECOA ECS Router Controller - ECS (FLASH); ECOA RiskBuster Terminator - E6L45; RB 3.0.0; TRANE 1.0; plus related ECOA software) and describes an arbitrary file write/path traversal vulnerability. Attackers can use POST paramet...

CVE-2021-41290 ECOA BAS controller - Path Traversal-1

ECOA BAS controller suffers from an arbitrary file write and path traversal vulnerability. Using the POST parameters, unauthenticated attackers can remotely set arbitrary values for location and content type and gain the possibility to execute arbitrary code on the affected device...

Ecoa Bas controller 安全漏洞

ECOA BAS controller is an intelligent lighting control solution. an unauthorized access vulnerability exists in ECOA BAS controller, which can be exploited by remote attackers to bypass authorization to access hidden resources in the system and perform privileged functions...

PT-2021-23244 · Unknown · Ecoa Bas Controller

Name of the Vulnerable Software and Affected Versions: ECOA BAS controller affected versions not specified Description: The ECOA BAS controller is affected by an arbitrary file write and path traversal issue. Unauthenticated attackers can exploit this by using POST parameters to set arbitrary...

Ecoa Bas controller 安全漏洞

ECOA BAS controller is a building automation controller. ECOA BAS controller handles HTTP GET requests and is vulnerable to information disclosure, which can be exploited by remote attackers to submit ad hoc requests that can obtain sensitive information...

Ecoa Bas controller 安全漏洞

Ecoa Bas controller is a building automation controller from Ecoa Technologies Corp in China. Ecoa Bas controller is vulnerable to an access control error, which can be exploited by attackers to compromise administrative account credentials in clear text to cause privilege escalation...