Vulners
Lucene search
VisualWare MyConnection Server 11.x Remote Code Execution Vulnerability
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | CVE-2021-27198 | 25 Oct 202316:58 | – | circl |
 | Visualware MyConnection Server 代码问题漏洞 | 26 Feb 202100:00 | – | cnnvd |
 | Visualware MyConnection Server File Upload Vulnerability | 2 Mar 202100:00 | – | cnvd |
 | CVE-2021-27198 | 26 Feb 202122:53 | – | cve |
 | CVE-2021-27198 | 26 Feb 202122:53 | – | cvelist |
 | CVE-2021-27198 | 26 Feb 202123:15 | – | nvd |
 | CVE-2021-27198 | 26 Feb 202123:15 | – | osv |
 | VisualWare MyConnection Server 11.x Remote Code Execution | 26 Feb 202100:00 | – | packetstorm |
 | Remote code execution | 26 Feb 202123:15 | – | prion |
 | PT-2021-17317 · Visualware · Visualware Myconnection Server | 26 Feb 202100:00 | – | ptsecurity |
10
Document Title:
===============
VisualWare MyConnection Server 11.x Remote Code Execution Vulnerability
References (Source):
====================
https://www.securifera.com/advisories/cve-2021-27198/
https://myconnectionserver.visualware.com/download.html
Release Date:
=============
2020-02-25
Product & Service Introduction:
===============================
MCS tests, measures & reports the performance and health of any network
connection, LAN or WAN. MCS is an access everywhere web based enterprise
solution.
Vulnerability Information:
==============================
Class: CWE-434: Unrestricted Upload of File with Dangerous Type
Impact: Remote Code Execution
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2021-27198
Vulnerability Description:
==============================
An unauthenticated remote code execution vulnerability was discovered in
Visualware MyConnection Server 11.0 through 11.0b build 5382. The web
endpoint at "https://example.com/myspeed/sf" provides an unauthenticated
user the ability to upload an arbitrary file to an arbitrary location via a
specially crafted POST request. This application is written in Java and is
thus cross-platform. The Windows installation executes the web server as
SYSTEM which means that exploitation provides Administrator privileges on
the target system.
Vulnerability Disclosure Timeline:
==================================
2021-01-11: Contacted VisualWare About Issue via Website Contact Form
2021-02-03: Emailed Multiple VisualWare POCs Requesting Disclosure
Assistance
2021-02-11: Requested CVE from MITRE for vulnerability
2021-02-12: Messaged Lead VisualWare Developer on LinkedIn After Seeing They
Had Looked At My Profile. I assume because of my attempts to contact them
2021-02-18: Notified VisualWare About Issue Again via Website Contact Form
And Notified Them I Would be Disclosing if they did not respond
2021-02-25: Publicly releasing vulnerability because company refuses to
respond to any attempts to coordinate disclsoure
Affected Product(s):
====================
VisualWare MyConnection Server 11.0 through 11.0b build 5382
Severity Level:
===============
High
Proof of Concept (PoC):
=======================
A proof of concept will not be provided at this time.
Solution - Fix & Patch:
=======================
None
Security Risk:
==============
The security risk of this remote code execution vulnerability is estimated
as high. (CVSS 10.0)
Credits & Authors:
==================
Securifera, Inc - b0yd (@rwincey)
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Feb 2021 00:00Current
0.4Low risk
Vulners AI Score0.4
CVSS 210
CVSS 3.19.8
EPSS0.14154