PT-2019-13729 · Emca · Emca Energy Logserver

Maciej Domanski

Published

2019-08-05

Updated

2019-08-13

CVE-2019-14521

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions EMCA Energy Logserver version 6.1.2

Description The issue concerns the api/admin/logoupload Logo File upload feature, which allows attackers to upload files to any location on the server. This is achieved through path traversal in the filename parameter.

Recommendations For EMCA Energy Logserver version 6.1.2, consider restricting access to the api/admin/logoupload endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the filename parameter in the affected API endpoint until the issue is resolved.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2019-14521

Affected Products

Emca Energy Logserver

PT-2019-13729 · Emca · Emca Energy Logserver

CVE-2019-14521

Weakness Enumeration

Related Identifiers

Affected Products

References · 6