Vulnerability Description
DSUtility.dll in Pelco Digital Sentry Server before 7.19.67 has an arbitrary file write vulnerability. The AppendToTextFile method doesn't check if it's being called from the application or from a malicious user. The vulnerability is triggered when a remote attacker crafts an HTML page (e.g., with "OBJECT classid=" and "<SCRIPT language='vbscript'>") to overwrite arbitrary files.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pelco | Digital Sentry Server | < 7.19.67 |
Related Weaknesses (CWE)
References
- https://github.com/vitorespf/Advisories/blob/master/Pelco_Digital_Sentry_Server_ExploitThird Party Advisory
- https://support.pelco.com/s/article/What-is-the-Digital-Sentry-software-release-Release NotesVendor Advisory
- https://github.com/vitorespf/Advisories/blob/master/Pelco_Digital_Sentry_Server_ExploitThird Party Advisory
- https://support.pelco.com/s/article/What-is-the-Digital-Sentry-software-release-Release NotesVendor Advisory
FAQ
What is CVE-2021-27197?
CVE-2021-27197 is a vulnerability with a CVSS score of 8.1 (HIGH). DSUtility.dll in Pelco Digital Sentry Server before 7.19.67 has an arbitrary file write vulnerability. The AppendToTextFile method doesn't check if it's being called from the application or from a mal...
How severe is CVE-2021-27197?
CVE-2021-27197 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-27197?
Check the references section above for vendor advisories and patch information. Affected products include: Pelco Digital Sentry Server.