Vulnerability Description
In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1, the http API located at /sgwebservice_o.php accepts a command argument. Using this command argument an unauthenticated attacker can execute arbitrary shell commands.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vembu | Bdr Suite | < 4.2.0.1 |
| Vembu | Offsite Dr | < 4.2.0.1 |
References
- https://csirt.divd.nl/2021/05/11/Vembu-zero-days/Third Party Advisory
- https://csirt.divd.nl/cases/DIVD-2020-00011/Third Party Advisory
- https://csirt.divd.nl/cves/CVE-2021-26471/Third Party Advisory
- https://www.wbsec.nl/vembuBroken LinkThird Party Advisory
- https://csirt.divd.nl/2021/05/11/Vembu-zero-days/Third Party Advisory
- https://csirt.divd.nl/cases/DIVD-2020-00011/Third Party Advisory
- https://csirt.divd.nl/cves/CVE-2021-26471/Third Party Advisory
- https://www.wbsec.nl/vembuBroken LinkThird Party Advisory
FAQ
What is CVE-2021-26471?
CVE-2021-26471 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1, the http API located at /sgwebservice_o.php accepts a command argument. Using this command argument an unauthenticated attacker can execut...
How severe is CVE-2021-26471?
CVE-2021-26471 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-26471?
Check the references section above for vendor advisories and patch information. Affected products include: Vembu Bdr Suite, Vembu Offsite Dr.