CVE-2021-40661 : A remote, unauthenticated, directory traversal vulnerability was identified with

A remote, unauthenticated, directory traversal vulnerability was identified within the web interface used by IND780 Advanced Weighing Terminals Build 8.0.07 March 19, 2018 (SS Label 'IND780_8.0.07'), Version 7.2.10 June 18, 2012 (SS Label 'IND780_7.2.10'). It was possible to traverse the folders of the affected host by providing a traversal path to the 'webpage' parameter in AutoCE.ini This could allow a remote unauthenticated adversary to access additional files on the affected system. This could also allow the adversary to perform further enumeration against the affected host to identify the versions of the systems in use, in order to launch further attacks in future.

Published 2022-10-31 12:15:10

Updated 2025-05-07 14:15:29

Source MITRE

View at NVD, CVE.org

Vulnerability category: Directory traversal

Products affected by CVE-2021-40661

MT » Ind780 Firmware » Version: 8.0.07
cpe:2.3:o:mt:ind780_firmware:8.0.07:*:*:*:*:*:*:*
Matching versions
When used together with: MT » Ind780 » Version: N/A
MT » Ind780 Firmware » Version: 7.2.10
cpe:2.3:o:mt:ind780_firmware:7.2.10:*:*:*:*:*:*:*
Matching versions
When used together with: MT » Ind780 » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2021-40661

EPSS FAQ

88.45%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 99 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-40661

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-05-07
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2021-40661

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2021-40661

https://sidsecure.au/blog/cve-2021-40661/?_sm_pdc=1&_sm_rid=MRRqb4KBDnjBMJk24b40LMS3SKqPMqb4KVn32Kr

Unauthenticated Directory Traversal - SidSecure Cyber Security
Exploit;Third Party Advisory
https://www.mt.com/au/en/home/products/Industrial_Weighing_Solutions/Terminals-and-Controllers/terminals-bench-floor-scales/advanced-bench-floor-applications/IND780/IND780_.html#overviewpm

IND780 Advanced Weighing Terminal - Overview - METTLER TOLEDO
Product;Vendor Advisory

Jump to

Vulnerability Details : CVE-2021-40661

Products affected by CVE-2021-40661

Exploit prediction scoring system (EPSS) score for CVE-2021-40661

CVSS scores for CVE-2021-40661

CWE ids for CVE-2021-40661

References for CVE-2021-40661