CVE-2021-41298 HIGH

CVE-2021-41298: ECOA BAS controller - Improper Access Control

Weakness CWE-284
Published September 30, 2021
Last update September 16, 2024

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

ECOA BAS controller is vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers with general user's privilege can remotely bypass authorization and access the hidden resources in the system and execute privileged functionalities.

Key dates

02Disclosure timeline

September 30, 2021 CVE published
September 16, 2024 Record updated