EUVD-2021-28331

Malicious code in bioql PyPI...

EUVD-2021-28326

Malicious code in bioql PyPI...

EUVD-2021-28332

Malicious code in bioql PyPI...

EUVD-2021-28329

Malicious code in bioql PyPI...

EUVD-2021-28320

Malicious code in bioql PyPI...

EUVD-2021-28327

Malicious code in bioql PyPI...

EUVD-2021-28322

Malicious code in bioql PyPI...

VulnCheck KEV: CVE-2021-41295

ECOA BAS controller has a Cross-Site Request Forgery vulnerability, thus authenticated attacker can remotely place a forged request at a malicious web page and execute CRUD commands GET, POST, PUT, DELETE to perform arbitrary operations in the system...

ECOA BAS controller information disclosure vulnerability

ECOA BAS controller is a building automation controller. ECOA BAS controller handles HTTP GET requests and is vulnerable to information disclosure, which can be exploited by remote attackers to submit ad hoc requests that can obtain sensitive information...

ECOA BAS controller arbitrary file upload vulnerability

ECOA BAS controller is a BAS controller developed by Ecoa Technologies Corp in Taiwan, China. ECOA BAS controller is vulnerable to arbitrary file uploads, which can be exploited to send specially crafted URL requests to the /upload URI with the file name and rbt parameters containing The "dot"...

ECOA BAS controller directory traversal vulnerability (CNVD-2021-83638)

ECOA BAS controller is a smart lighting control solution. ECOA BAS controller is vulnerable to directory traversal, which can be exploited by attackers to compromise sensitive and system information...

CVE-2021-41293

ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. Using the specific POST parameter, unauthenticated attackers can remotely disclose arbitrary files on the affected device and disclose sensitive and system information...

CVE-2021-41290

ECOA BAS controller suffers from an arbitrary file write and path traversal vulnerability. Using the POST parameters, unauthenticated attackers can remotely set arbitrary values for location and content type and gain the possibility to execute arbitrary code on the affected device...

CVE-2021-41299

ECOA BAS controller is vulnerable to hard-coded credentials within its Linux distribution image, thus remote attackers can obtain administrator’s privilege without logging in...

CVE-2021-41301

ECOA BAS controller is vulnerable to configuration disclosure when direct object reference is made to the specific files using an HTTP GET request. This will enable the unauthenticated attacker to remotely disclose sensitive information and help her in authentication bypass, privilege escalation...

CVE-2021-41297

ECOA BAS controller is vulnerable to weak access control mechanism allowing authenticated user to remotely escalate privileges by disclosing credentials of administrative accounts in plain-text...

CVE-2021-41300

ECOA BAS controller’s special page displays user account and passwords in plain text, thus unauthenticated attackers can access the page and obtain privilege with full functionality...

Path traversal

ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files deletion. Using the specific GET parameter, unauthenticated attackers can remotely delete arbitrary files on the affected device and cause denial of service scenario...

Default credentials

ECOA BAS controller stores sensitive data backup exports in clear-text, thus the unauthenticated attacker can remotely query user password and obtain user’s privilege...

Cross site request forgery (csrf)

ECOA BAS controller has a Cross-Site Request Forgery vulnerability, thus authenticated attacker can remotely place a forged request at a malicious web page and execute CRUD commands GET, POST, PUT, DELETE to perform arbitrary operations in the system...