Information Disclosure and File Deletion Vulnerability in NETGEAR ProSAFE Network Management System
CVE-2021-27275

8.3HIGH

Key Information:

Vendor: Netgear
Status: Prosafe Network Management System
Vendor: CVE Published:; 29 March 2021

Summary

This vulnerability in the NETGEAR ProSAFE Network Management System allows remote attackers to disclose sensitive information and perform arbitrary file deletions. Although the attack requires authentication, the existing mechanisms can be easily bypassed. The flaw resides in the ConfigFileController class, where the realName parameter is inadequately validated, leading to unsafe file operations. As a result, attackers may exploit this condition to gain unauthorized access to sensitive information or to instigate a denial-of-service response on the affected system. For further details, please refer to the NETGEAR security advisory and the Zero Day Initiative's report.

Affected Version(s)

ProSAFE Network Management System 1.6.0.26

References

https://kb.netgear.com/000062687/Security-Advisory-for-De...

x_refsource_MISC

https://www.zerodayinitiative.com/advisories/ZDI-21-358/

x_refsource_MISC

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 29, 2021
Vulnerability Reserved
Feb 16, 2021

Credit

rgod