Vulnerability Details CVE-2021-26473
In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 the http API located at /sgwebservice_o.php action logFilePath allows an attacker to write arbitrary files in the context of the web server process. These files can then be executed remotely by calling the file via the web server.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.007
EPSS Ranking 72.0%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- https://csirt.divd.nl/2021/05/11/Vembu-zero-days/
- https://csirt.divd.nl/cases/DIVD-2020-00011/
- https://csirt.divd.nl/cves/CVE-2021-26473/
- https://www.wbsec.nl/vembu
- https://csirt.divd.nl/2021/05/11/Vembu-zero-days/
- https://csirt.divd.nl/cases/DIVD-2020-00011/
- https://csirt.divd.nl/cves/CVE-2021-26473/
- https://www.wbsec.nl/vembu
Products affected by CVE-2021-26473
-
cpe:2.3:a:vembu:bdr_suite:-
-
cpe:2.3:a:vembu:bdr_suite:3.1.0
-
cpe:2.3:a:vembu:bdr_suite:3.1.1
-
cpe:2.3:a:vembu:bdr_suite:3.1.2
-
cpe:2.3:a:vembu:bdr_suite:3.5.0
-
cpe:2.3:a:vembu:bdr_suite:3.6.0
-
cpe:2.3:a:vembu:bdr_suite:3.7.0
-
cpe:2.3:a:vembu:bdr_suite:3.8.0
-
cpe:2.3:a:vembu:bdr_suite:3.9.0
-
cpe:2.3:a:vembu:bdr_suite:3.9.1
-
cpe:2.3:a:vembu:bdr_suite:4.0.0
-
cpe:2.3:a:vembu:bdr_suite:4.0.1
-
cpe:2.3:a:vembu:bdr_suite:4.0.2
-
cpe:2.3:a:vembu:bdr_suite:4.1.0
-
cpe:2.3:a:vembu:bdr_suite:4.2.0
-
cpe:2.3:a:vembu:offsite_dr:4.2.0