CVE-2021-36121

Name of the Vulnerable Software and Affected Versions: Echo ShareCare version 8.15.5

Description: An issue was discovered in the file-upload feature of Echo ShareCare, specifically in the Access/DownloadFeed Mnt/FileUpload Upd.cfm file, which is susceptible to an unrestricted upload vulnerability via the name1 parameter. This vulnerability allows arbitrary files to be written to arbitrary filesystem locations via ../ Directory Traversal on the Z: drive, where ShareCare application files reside, and enables remote code execution as the ShareCare service user (NT AUTHORITYSYSTEM).

Recommendations: For Echo ShareCare version 8.15.5, consider disabling the file-upload feature in Access/DownloadFeed Mnt/FileUpload Upd.cfm as a temporary workaround to prevent exploitation. Restrict access to the name1 parameter in the file-upload feature to minimize the risk of arbitrary file uploads and remote code execution.