CVE-2021-26473 CRITICAL

CVE-2021-26473: Unauthenticated arbitrary file upload and command execution in Vembu products

Vendor N/A
Product n/a
Published June 8, 2021
Last update September 16, 2024

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 the http API located at /sgwebservice_o.php action logFilePath allows an attacker to write arbitrary files in the context of the web server process. These files can then be executed remotely by calling the file via the web server.

Key dates

02Disclosure timeline

June 8, 2021 CVE published
September 16, 2024 Record updated