CyberSec.Space Logo
Back to CVE Browser

CVE-2021-27198

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1970%
EPSS Percentile40.15th
PublishedFeb 26, 2021
Last ModifiedNov 21, 2024

Vulnerability Description

An issue was discovered in Visualware MyConnection Server before v11.1a. Unauthenticated Remote Code Execution can occur via Arbitrary File Upload in the web service when using a myspeed/sf?filename= URI. This application is written in Java and is thus cross-platform. The Windows installation runs as SYSTEM, which means that exploitation gives one Administrator privileges on the target system.

Affected Platforms (CPE)

πŸ“¦
Visualware

Myconnection Server

< 11.1a

References & Advisories

πŸ”— http://packetstormsecurity.com/files/161571/VisualWare-MyConnection-Server-11.x-Remote-Code-Execution.html
πŸ”— http://seclists.org/fulldisclosure/2021/Feb/81
πŸ”— https://myconnectionserver.visualware.com/download.html
πŸ”— https://myconnectionserver.visualware.com/support/newrelease.html
πŸ”— https://www.securifera.com/advisories/cve-2021-27198/
πŸ”— http://packetstormsecurity.com/files/161571/VisualWare-MyConnection-Server-11.x-Remote-Code-Execution.html
πŸ”— http://seclists.org/fulldisclosure/2021/Feb/81
πŸ”— https://myconnectionserver.visualware.com/download.html

Related Vulnerabilities

CVE-2021-275097.5

In Visualware MyConnection Server before 11.0b build 5382, each published report is not associated with its own access code.

CVE-2014-51134.3

Multiple cross-site scripting (XSS) vulnerabilities in test.php in Visualware MyConnection Server 9.7i allow remote attackers to i...

CVE-2015-20434.3

Multiple cross-site scripting (XSS) vulnerabilities in Visualware MyConnection Server 8.2b allow remote attackers to inject arbitr...

CVE-2021-2732910.0

Friendica 2021.01 allows SSRF via parse_url?binurl= for DNS lookups or HTTP requests to arbitrary domain names.