CVE-2021-45420 PoC — Emerson Xweb-500 授权问题漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/other/dixell-xweb500-filewrite.yaml

Associated Vulnerability

Title:Emerson Xweb-500 授权问题漏洞 (CVE-2021-45420)
Description:Emerson Xweb-500是美国Emerson公司的一个基于 Web 服务器技术的数据记录和远程监控系统。 Emerson Xweb-500 存在安全漏洞，该漏洞源于Emerson Dixell XWEB-500产品受到/cgi-bin/logo_extra_upload.cgi, /cgi-bin/cal_save.cgi, 和 /cgi-bin/lo_utils.cgi 任意文件写入漏洞的影响。攻击者可利用该漏洞在没有任何身份验证机制的情况下向目标系统写入任何文件，这可能导致拒绝服务和可能的远程

Description

Emerson Dixell XWEB-500 products are affected by arbitrary file write vulnerabilities in /cgi-bin/logo_extra_upload.cgi, /cgi-bin/cal_save.cgi, and /cgi-bin/lo_utils.cgi. An attacker will be able to write any file on the target system without any kind of authentication mechanism, and this can lead to denial of service and potentially remote code execution. Note that this product has not been supported since 2018 and should be removed or replaced.

File Snapshot


 id: dixell-xweb500-filewrite

info:
  name: Emerson Dixell XWEB-500 - Arbitrary File Write
  author:

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!