Vulnerability CVE-2021-27198


Published: 2021-02-26   Modified: 2021-02-27

Description:
An issue was discovered in Visualware MyConnection Server through 11.0b build 5382. Unauthenticated Remote Code Execution can occur via Arbitrary File Upload in the web service when using a myspeed/sf?filename= URI. This application is written in Java and is thus cross-platform. The Windows installation runs as SYSTEM, which means that exploitation gives one Administrator privileges on the target system.

See advisories in our WLB2 database:
Topic
Author
Date
High
VisualWare MyConnection Server 11.x Remote Code Execution
Ryan Wincey
28.02.2021

Type:

CWE-434

(Unrestricted Upload of File with Dangerous Type)

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete
Affected software
Visualware -> Myconnection server 

 References:
http://packetstormsecurity.com/files/161571/VisualWare-MyConnection-Server-11.x-Remote-Code-Execution.html
https://myconnectionserver.visualware.com/download.html
https://myconnectionserver.visualware.com/support/newrelease.html
https://www.securifera.com/advisories/cve-2021-27198/

Copyright 2024, cxsecurity.com

 

Back to Top