CVE-2021-27198

Sažetak

An issue was discovered in Visualware MyConnection Server before v11.1a. Unauthenticated Remote Code Execution can occur via Arbitrary File Upload in the web service when using a myspeed/sf?filename= URI. This application is written in Java and is thus cross-platform. The Windows installation runs as SYSTEM, which means that exploitation gives one Administrator privileges on the target system.

Reference

https://myconnectionserver.visualware.com/download.html
https://www.securifera.com/advisories/cve-2021-27198/
https://myconnectionserver.visualware.com/support/newrelease.html
http://packetstormsecurity.com/files/161571/VisualWare-MyConnection-Server-11.x-Remote-Code-Execution.html
http://seclists.org/fulldisclosure/2021/Feb/81

CVSS

Base:	10.0
Impact:	10.0
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
COMPLETE	COMPLETE	COMPLETE

CVSS vektor

AV:N/AC:L/Au:N/C:C/I:C/A:C

Zadnje važnije ažuriranje

14-09-2021 - 16:39

Objavljeno

26-02-2021 - 23:15