CVE-2021-26473
Summary
| CVE | CVE-2021-26473 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-06-08 19:15:00 UTC |
| Updated | 2022-04-22 19:10:00 UTC |
| Description | In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 the http API located at /sgwebservice_o.php action logFilePath allows an attacker to write arbitrary files in the context of the web server process. These files can then be executed remotely by calling the file via the web server. |
Risk And Classification
Problem Types: CWE-434
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Vembu | Bdr Suite | All | All | All | All |
| Application | Vembu | Offsite Dr | All | All | All | All |
| Application | Vembu | Offsite Dr | 4.2.0 | All | All | All |
| Application | Vembu | Offsite Dr | 4.2.0.1 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| our mission | MISC | www.divd.nl | |
| Vembu Zero Days | DIVD CSIRT | MISC | csirt.divd.nl | |
| Unauthenticated arbitrary file upload and command execution | DIVD CSIRT | MISC | csirt.divd.nl | |
| www.wbsec.nl/vembu | MISC | www.wbsec.nl | |
| DIVD-2020-00011 - Four critical vulnerabilities in Vembu BDR | DIVD CSIRT | MISC | csirt.divd.nl | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Discovered by Wietse Boonstra
LEGACY: Addional research by Frank Breedijk
There are currently no legacy QID mappings associated with this CVE.