cbcvebase.
CVE-2021-35380
published 2022-02-15

CVE-2021-35380: A Directory Traversal vulnerability exists in Solari di Udine TermTalk Server (TTServer) 3.24.0.2, which lets an unauthenticated malicious user gain access to…

PriorityP270high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
38.95%
98.4th percentile
A Directory Traversal vulnerability exists in Solari di Udine TermTalk Server (TTServer) 3.24.0.2, which lets an unauthenticated malicious user gain access to the files on the remote system by gaining access to the relative path of the file they want to download (http://url:port/file?valore).

Affected

1 ranges
VendorProductVersion rangeFixed in
solaritermtalk_server

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://url:port/file?valore=../../../../WINDOWS/System32/drivers/etc/hosts
path/file?valore=../../../../../windows/win.ini
commandcurl http://url:port/file?valore=../../../../WINDOWS/System32/drivers/etc/hosts
  • Detect unauthenticated GET requests to the /file endpoint with a 'valore' parameter containing directory traversal sequences (e.g., '../') targeting TermTalk Server.
  • HTTP response body containing all three strings 'bit app support', 'fonts', and 'extensions' simultaneously indicates successful exploitation via win.ini file read.
  • Flag GET requests where the 'valore' query parameter traverses outside the web root (multiple '../' sequences) on any host running TermTalk Server 3.24.0.2 — no authentication is required by the attacker.
  • ·The vulnerability is fixed in TermTalk Server version 3.26.1.7; detections should be scoped to instances running version 3.24.0.2 or earlier.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.