ZDI-21-450: Schneider Electric C-Bus Toolkit PROJECT RESTORE Directory Traversal Information Disclosure Vulnerability

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Schneider Electric C-Bus Toolkit. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the processing of commands sent to the C-Gate 2 Service. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/references
• agent/severity
• agent/title
• agent/description
• agent/softwarecombine
• agent/type
• agent/event
• agent/tags
• collector/zdi-advisory
• source/ZDI
• alias/ZDI-21-450
• alias/ZDI-CAN-12604
• alias/CVE-2021-22720
• agent/software-canonical-lookup
• vendor/schneider electric
• canonical/schneider electric c-bus toolkit