.. / CVE-2021-41293

Exploit for ECOA Building Automation System - Arbitrary File Retrieval (CVE-2021-41293)

Description:

The ECOA BAS controller suffers from an arbitrary file disclosure vulnerability. Using the ‘fname’ POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.

Nuclei Template

View the template here CVE-2021-41293.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2021/CVE-2021-41293.yaml

References:

https://github.com/ARPSyndicate/cvemon
https://www.twcert.org.tw/tw/cp-132-5129-7e623-1.html
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5679.php
https://github.com/ARPSyndicate/kenzer-templates
https://nvd.nist.gov/vuln/detail/CVE-2021-41293

.. / CVE-2021-41293 if(localStorage["style"]=="true"){ document.getElementById('pagestyle').setAttribute('href','/assets/styleDark.css'); document.querySelector('input[type="checkbox"]').checked = true }

Exploit for ECOA Building Automation System - Arbitrary File Retrieval (CVE-2021-41293)

Description:

Nuclei Template

Validate with Nuclei

.. / CVE-2021-41293