CVE-2021-46354
published 2022-02-09CVE-2021-46354: Thinfinity VirtualUI 2.1.28.0, 2.1.32.1 and 2.5.26.2, fixed in version 3.0 is affected by an information disclosure vulnerability in the parameter "Addr" in…
PriorityP261high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
15.55%
96.4th percentile
Thinfinity VirtualUI 2.1.28.0, 2.1.32.1 and 2.5.26.2, fixed in version 3.0 is affected by an information disclosure vulnerability in the parameter "Addr" in cmd site. The ability to send requests to other systems can allow the vulnerable server to filtrate the real IP of the web server or increase the attack surface.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cybelesoft | thinfinity_virtualui | — | — |
| cybelesoft | thinfinity_virtualui | — | — |
| cybelesoft | thinfinity_virtualui | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlcmd=connect&wscompression=true&destAddr=domain.com&scraper=fmx&screenWidth=1918&screenHeight=934&fitmode=0&argumentsp=&orientation=0&browserWidth=1918&browserHeight=872&supportCur=true&id=null&devicePixelRatio=1&isMobile=false&isLandscape=true&supportsFullScreen=true&webapp=false↗
- →Monitor HTTP requests to the Thinfinity VirtualUI 'cmd' endpoint containing the parameter 'destAddr' (also referred to as 'Addr') pointing to external or unexpected hosts — this is the SSRF/information-disclosure trigger. ↗
- →Flag requests where 'cmd=connect' is combined with 'destAddr=' set to an external domain or IP, as this is the exact exploit pattern used to abuse the vulnerable parameter. ↗
- →Alert on outbound connections originating from the Thinfinity VirtualUI server process to arbitrary external hosts, which may indicate successful SSRF exploitation leaking the real server IP. ↗
- ·Affected versions are 2.1.28.0, 2.1.32.1, and 2.5.26.2; version 3.0 is the fixed release. Ensure detections are scoped to unpatched deployments. ↗
- ·The vulnerable parameter is named 'Addr' in the NVD description but appears as 'destAddr' in the actual exploit request — detection rules should match both forms. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/166069/Thinfinity-VirtualUI-2.5.26.2-Information-Disclosure.htmlhttp://thinfinity.comhttps://github.com/cybelesoft/virtualui/issues/3http://packetstormsecurity.com/files/166069/Thinfinity-VirtualUI-2.5.26.2-Information-Disclosure.htmlhttp://thinfinity.comhttps://github.com/cybelesoft/virtualui/issues/3
2022-02-09
Published