{"containers":{"cna":{"affected":[{"product":"ECS Router Controller ECS (FLASH)","vendor":"ECOA","versions":[{"lessThan":"unspecified","status":"unknown","version":"next of 0","versionType":"custom"}]},{"product":"RiskBuster Terminator E6L45","vendor":"ECOA","versions":[{"lessThan":"unspecified","status":"unknown","version":"next of 0","versionType":"custom"}]},{"product":"RiskBuster System RB 3.0.0","vendor":"ECOA","versions":[{"lessThan":"unspecified","status":"unknown","version":"next of 0","versionType":"custom"}]},{"product":"RiskBuster System TRANE 1.0","vendor":"ECOA","versions":[{"lessThan":"unspecified","status":"unknown","version":"next of 0","versionType":"custom"}]},{"product":"Graphic Control Software","vendor":"ECOA","versions":[{"lessThan":"unspecified","status":"unknown","version":"next of 0","versionType":"custom"}]},{"product":"SmartHome II E9246","vendor":"ECOA","versions":[{"lessThan":"unspecified","status":"unknown","version":"next of 0","versionType":"custom"}]},{"product":"RiskTerminator","vendor":"ECOA","versions":[{"lessThan":"unspecified","status":"unknown","version":"next of 0","versionType":"custom"}]}],"datePublic":"2021-09-30T00:00:00.000Z","descriptions":[{"lang":"en","value":"ECOA BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can remotely bypass authentication and disclose sensitive information and circumvent physical access controls in smart homes and buildings and manipulate HVAC."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-288","description":"CWE-288 Authentication Bypass Using an Alternate Path or Channel","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2021-09-30T10:40:52.000Z","orgId":"cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e","shortName":"twcert"},"references":[{"tags":["x_refsource_MISC"],"url":"https://www.twcert.org.tw/tw/cp-132-5128-b075a-1.html"}],"solutions":[{"lang":"en","value":"Contact tech support from ECOA."}],"source":{"advisory":"TVN-202109008","discovery":"EXTERNAL"},"title":"ECOA BAS controller - Broken Authentication","x_generator":{"engine":"Vulnogram 0.0.9"},"x_legacyV4Record":{"CVE_data_meta":{"AKA":"TWCERT/CC","ASSIGNER":"cve@cert.org.tw","DATE_PUBLIC":"2021-09-30T10:13:00.000Z","ID":"CVE-2021-41292","STATE":"PUBLIC","TITLE":"ECOA BAS controller - Broken Authentication"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"ECS Router Controller ECS (FLASH)","version":{"version_data":[{"version_affected":"?>","version_value":"0"}]}},{"product_name":"RiskBuster Terminator E6L45","version":{"version_data":[{"version_affected":"?>","version_value":"0"}]}},{"product_name":"RiskBuster System RB 3.0.0","version":{"version_data":[{"version_affected":"?>","version_value":"0"}]}},{"product_name":"RiskBuster System TRANE 1.0","version":{"version_data":[{"version_affected":"?>","version_value":"0"}]}},{"product_name":"Graphic Control Software","version":{"version_data":[{"version_affected":"?>","version_value":"0"}]}},{"product_name":"SmartHome II E9246","version":{"version_data":[{"version_affected":"?>","version_value":"0"}]}},{"product_name":"RiskTerminator","version":{"version_data":[{"version_affected":"?>","version_value":"0"}]}}]},"vendor_name":"ECOA"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"ECOA BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can remotely bypass authentication and disclose sensitive information and circumvent physical access controls in smart homes and buildings and manipulate HVAC."}]},"generator":{"engine":"Vulnogram 0.0.9"},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}]},"references":{"reference_data":[{"name":"https://www.twcert.org.tw/tw/cp-132-5128-b075a-1.html","refsource":"MISC","url":"https://www.twcert.org.tw/tw/cp-132-5128-b075a-1.html"}]},"solution":[{"lang":"en","value":"Contact tech support from ECOA."}],"source":{"advisory":"TVN-202109008","discovery":"EXTERNAL"}}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T03:08:31.993Z"},"title":"CVE Program Container","references":[{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.twcert.org.tw/tw/cp-132-5128-b075a-1.html"}]}]},"cveMetadata":{"assignerOrgId":"cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e","assignerShortName":"twcert","cveId":"CVE-2021-41292","datePublished":"2021-09-30T10:40:52.625Z","dateReserved":"2021-09-15T00:00:00.000Z","dateUpdated":"2024-09-17T03:32:30.239Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}