ECOA Ecs Router Controller-ecs Firmware -
Approved changes feed: RSS · Atom
cpe:2.3:o:ecoa:ecs_router_controller-ecs_firmware:-:*:*:*:*:*:*:*
part: o version: - update: *
| Vendor | Ecoa (9b3505e1-e942-58fa-a951-d0e6cb7e6512) |
|---|---|
| Product | Ecs Router Controller Ecs Firmware (9396c7da-f3cd-580d-9dc3-9308f7f4beca) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from NVD CPE 2.0 feed |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2021-41302 |
vulnerable | 2026-06-08 05:35:20.181512 |
ECOA BAS controller - Missing Encryption of Sensitive Data
HIGH (7.3)
ECOA BAS controller stores sensitive data (backup exports) in clear-text, thus the unauthenticated attacker can remotely query user password and obtain user’s privilege.
Published: 2021-09-30T10:41:08.156Z
Updated: 2024-09-16T20:21:36.719Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-41301 |
vulnerable | 2026-06-08 05:35:20.166419 |
ECOA BAS controller - Exposure of Sensitive Information to an Unauthorized Actor
CRITICAL (9.8)
ECOA BAS controller is vulnerable to configuration disclosure when direct object reference is made to the specific files using an HTTP GET request. This will enable the unauthenticated attacker to remotely disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.
Published: 2021-09-30T10:41:06.633Z
Updated: 2024-09-16T16:53:19.967Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-41300 |
vulnerable | 2026-06-08 05:35:20.158573 |
ECOA BAS controller - Insufficiently Protected Credentials-2
CRITICAL (9.8)
ECOA BAS controller’s special page displays user account and passwords in plain text, thus unauthenticated attackers can access the page and obtain privilege with full functionality.
Published: 2021-09-30T10:41:05.097Z
Updated: 2024-09-16T23:41:00.205Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-41299 |
vulnerable | 2026-06-08 05:35:20.157785 |
ECOA BAS controller - Use of Hard-coded Credentials
CRITICAL (9.8)
ECOA BAS controller is vulnerable to hard-coded credentials within its Linux distribution image, thus remote attackers can obtain administrator’s privilege without logging in.
Published: 2021-09-30T10:41:03.577Z
Updated: 2024-09-16T17:22:44.543Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-41298 |
vulnerable | 2026-06-08 05:35:20.157088 |
ECOA BAS controller - Improper Access Control
HIGH (8.8)
ECOA BAS controller is vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers with general user's privilege can remotely bypass authorization and access the hidden resources in the system and execute privileged functionalities.
Published: 2021-09-30T10:41:02.047Z
Updated: 2024-09-16T20:16:40.291Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-41297 |
vulnerable | 2026-06-08 05:35:20.156376 |
ECOA BAS controller - Insufficiently Protected Credentials-1
HIGH (8.8)
ECOA BAS controller is vulnerable to weak access control mechanism allowing authenticated user to remotely escalate privileges by disclosing credentials of administrative accounts in plain-text.
Published: 2021-09-30T10:41:00.486Z
Updated: 2024-09-16T20:22:39.752Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-41296 |
vulnerable | 2026-06-08 05:35:20.155378 |
ECOA BAS controller - Weak Password Requirements
CRITICAL (9.8)
ECOA BAS controller uses weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system.
Published: 2021-09-30T10:40:58.921Z
Updated: 2024-09-17T03:17:33.292Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-41295 |
vulnerable | 2026-06-08 05:35:20.154443 |
ECOA BAS controller - Cross-Site Request Forgery (CSRF)
HIGH (8.8)
ECOA BAS controller has a Cross-Site Request Forgery vulnerability, thus authenticated attacker can remotely place a forged request at a malicious web page and execute CRUD commands (GET, POST, PUT, DELETE) to perform arbitrary operations in the system.
Published: 2021-09-30T10:40:57.384Z
Updated: 2024-09-17T00:52:20.343Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-41294 |
vulnerable | 2026-06-08 05:35:20.153509 |
ECOA BAS controller - Path Traversal-4
CRITICAL (9.1)
ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files deletion. Using the specific GET parameter, unauthenticated attackers can remotely delete arbitrary files on the affected device and cause denial of service scenario.
Published: 2021-09-30T10:40:55.828Z
Updated: 2024-09-17T03:53:41.840Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-41293 |
vulnerable | 2026-06-08 05:35:20.152786 |
ECOA BAS controller - Path Traversal-3
HIGH (7.5)
ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. Using the specific POST parameter, unauthenticated attackers can remotely disclose arbitrary files on the affected device and disclose sensitive and system information.
Published: 2021-09-30T10:40:54.205Z
Updated: 2024-09-16T19:41:34.779Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-41292 |
vulnerable | 2026-06-08 05:35:20.151944 |
ECOA BAS controller - Broken Authentication
CRITICAL (9.8)
ECOA BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can remotely bypass authentication and disclose sensitive information and circumvent physical access controls in smart homes and buildings and manipulate HVAC.
Published: 2021-09-30T10:40:52.625Z
Updated: 2024-09-17T03:32:30.239Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-41291 |
vulnerable | 2026-06-08 05:35:20.151099 |
ECOA BAS controller - Path Traversal-1
HIGH (7.5)
ECOA BAS controller suffers from a path traversal content disclosure vulnerability. Using the GET parameter in File Manager, unauthenticated attackers can remotely disclose directory content on the affected device.
Published: 2021-09-30T10:40:51.070Z
Updated: 2024-09-16T23:36:07.656Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-41290 |
vulnerable | 2026-06-08 05:35:20.147050 |
ECOA BAS controller - Path Traversal-1
CRITICAL (9.8)
ECOA BAS controller suffers from an arbitrary file write and path traversal vulnerability. Using the POST parameters, unauthenticated attackers can remotely set arbitrary values for location and content type and gain the possibility to execute arbitrary code on the affected device.
Published: 2021-09-30T10:40:49.516Z
Updated: 2024-09-16T22:25:25.496Z Reference links |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.