CVE-2021-45420

Name of the Vulnerable Software and Affected Versions Emerson Dixell XWEB-500 (affected versions not specified)

Description The issue is related to an arbitrary file write vulnerability in the /cgi-bin/logo extra upload.cgi, /cgi-bin/cal save.cgi, and /cgi-bin/lo utils.cgi API endpoints. This vulnerability allows an attacker to write any file on the target system without authentication, potentially leading to denial of service and remote code execution. The product has not been supported since 2018.

Recommendations As a temporary workaround, consider disabling the /cgi-bin/logo extra upload.cgi, /cgi-bin/cal save.cgi, and /cgi-bin/lo utils.cgi API endpoints until the issue is resolved. Restrict access to the vulnerable functions to minimize the risk of exploitation. The product should be removed or replaced as it has not been supported since 2018. At the moment, there is no information about a newer version that contains a fix for this vulnerability.