An issue was discovered in Visualware MyConnection Server before v11.1a. Unauthenticated Remote Code Execution can occur via Arbitrary File Upload in the web service when using a myspeed/sf?filename= URI. This application is written in Java and is thus cross-platform. The Windows installation runs as SYSTEM, which means that exploitation gives one Administrator privileges on the target system.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/161571/VisualWare-MyConnection-Server-11.x-Remote-Code-Execution.html | Third Party Advisory VDB Entry |
http://seclists.org/fulldisclosure/2021/Feb/81 | Mailing List Third Party Advisory |
https://myconnectionserver.visualware.com/download.html | Product Vendor Advisory |
https://myconnectionserver.visualware.com/support/newrelease.html | Release Notes Vendor Advisory |
https://www.securifera.com/advisories/cve-2021-27198/ | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2021-02-26T22:53:27
Updated: 2021-07-15T11:04:15
Reserved: 2021-02-12T00:00:00
Link: CVE-2021-27198
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-02-26T23:15:11.263
Modified: 2021-09-14T16:39:15.817
Link: CVE-2021-27198
JSON object: View
Redhat Information
No data.
CWE