JVNDB-2021-000016

SolarView Compact provided by Contec Co., Ltd. contains multiple vulnerabilities listed below. *Exposure of information through directory listing (CWE-548) - CVE-2021-20656 *Improper access control (CWE-284) - CVE-2021-20657 *OS command injection (CWE-78) - CVE-2021-20658 *Unrestricted upload of file with dangerous type (CWE-434) - CVE-2021-20659 *Cross-site scripting (CWE-79) - CVE-2021-20660 *Directory traversal (CWE-23) - CVE-2021-20661 *Missing authentication for critical function (CWE-306) - CVE-2021-20662 *Using components with known vulnerabilities (CWE-1035) - CVE-2011-0762, CVE-2011-4362, CVE-2013-4508, CVE-2013-4559, CVE-2013-4560, CVE-2014-2323, CVE-2014-2324 The product uses previous versions of vsfpd and lighttpd with known vulnerabilities. CVE-2021-20656 Kouichirou Okada, Katsunari Yoshioka of Yokohama National University reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2021-20657, CVE-2021-20658 Takayuki Sasak, Katsunari Yoshioka of Yokohama National University reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. CVE-2021-20659, CVE-2021-20660, CVE-2021-20661, CVE-2021-20662 Kouichirou Okada, Takayuki Sasaki, Katsunari Yoshioka of Yokohama National University reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Kouichirou Okada, Katsunari Yoshioka of Yokohama National University reported to IPA that CVE-2011-0762, CVE-2011-4362, CVE-2013-4508, CVE-2013-4559, CVE-2013-4560, CVE-2014-2323 and CVE-2014-2324 vulnerabilities still exist in the product. JPCERT/CC coordinated with the developer.