This article is a part of our Vulnerability Database (back to index)
Path Traversal occurrences in Riskterminator
ECOA BAS controller suffers from a path traversal content disclosure vulnerability. Using the GET parameter in File Manager, unauthenticated attackers can remotely disclose directory content on the affected device. (2021-09-30, CVE-2021-41291)
ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files deletion. Using the specific GET parameter, unauthenticated attackers can remotely delete arbitrary files on the affected device and cause denial of service scenario. (2021-09-30, CVE-2021-41294)
ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. Using the specific POST parameter, unauthenticated attackers can remotely disclose arbitrary files on the affected device and disclose sensitive and system information. (2021-09-30, CVE-2021-41293)
ECOA BAS controller suffers from an arbitrary file write and path traversal vulnerability. Using the POST parameters, unauthenticated attackers can remotely set arbitrary values for location and content type and gain the possibility to execute arbitrary code on the affected device. (2021-09-30, CVE-2021-41290)
Why Path Traversal can be dangerous
Relative Path Confusion means that your web server is configured to serve responses to ambiguous URLs. This configuration can possibly cause confusion about the correct relative path for the URL. It is also an issue of resources, such as images, styles etc., which are specified in the response using relative path, not the absolute URL.
If the web browser permits to parse "cross-content" response, the attacker may be able to fool the web browser into interpreting HTML into other content types, which can then lead to a cross site scripting attack (link do XSS).