Vulnerability Details : CVE-2021-46354
Thinfinity VirtualUI 2.1.28.0, 2.1.32.1 and 2.5.26.2, fixed in version 3.0 is affected by an information disclosure vulnerability in the parameter "Addr" in cmd site. The ability to send requests to other systems can allow the vulnerable server to filtrate the real IP of the web server or increase the attack surface.
Vulnerability category: Information leak
Products affected by CVE-2021-46354
- cpe:2.3:a:cybelesoft:thinfinity_virtualui:2.1.28.0:*:*:*:*:*:*:*
- cpe:2.3:a:cybelesoft:thinfinity_virtualui:2.1.32.1:*:*:*:*:*:*:*
- cpe:2.3:a:cybelesoft:thinfinity_virtualui:2.5.26.2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-46354
28.64%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 96 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-46354
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2021-46354
-
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-46354
-
http://thinfinity.com
Deliver all your company apps, desktops, and data into a single unified workspace experienceVendor Advisory
-
http://packetstormsecurity.com/files/166069/Thinfinity-VirtualUI-2.5.26.2-Information-Disclosure.html
Thinfinity VirtualUI 2.5.26.2 Information Disclosure ≈ Packet StormThird Party Advisory;VDB Entry
-
https://github.com/cybelesoft/virtualui/issues/3
Vulnerability - External Service Interaction · Issue #3 · cybelesoft/virtualui · GitHubThird Party Advisory
Jump to