cbcvebase.
CVE-2021-46417
published 2022-04-07

CVE-2021-46417: Insecure handling of a download function leads to disclosure of internal files due to path traversal with root privileges in Franklin Fueling Systems Colibri…

PriorityP183high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
59.75%
99.0th percentile
Insecure handling of a download function leads to disclosure of internal files due to path traversal with root privileges in Franklin Fueling Systems Colibri Controller Module 1.8.19.8580.

Affected

1 ranges
VendorProductVersion rangeFixed in
franklinfuelingcolibri_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/18198580/cgi-bin/tsaupload.cgi?file_name=../../../../../..//etc/passwd&password=
urlhttp://192.168.1.6/18198580/cgi-bin/tsaupload.cgi?file_name=../../../../../..//etc/passwd&password=
path/cgi-bin/tsaupload.cgi
yara
regex: root:.*:0:0:
  • Detect exploitation attempts by monitoring HTTP GET requests to /cgi-bin/tsaupload.cgi containing path traversal sequences (../../) in the file_name parameter, particularly targeting /etc/passwd.
  • Shodan/FOFA queries can identify exposed Franklin Fueling Systems Colibri devices: search for http.html:"Franklin Fueling Systems" or body="franklin fueling systems".
  • Successful exploitation returns a response body matching the Unix passwd file pattern; detect by inspecting HTTP responses for the regex root:.*:0:0: from the tsaupload.cgi endpoint.
  • The vulnerable CGI script tsaupload.cgi is accessible without authentication (empty password parameter), indicating unauthenticated path traversal is possible.
  • ·The path traversal payload uses a double leading slash (//etc/passwd) after the traversal sequence, which may be relevant for WAF/IDS signature tuning to avoid false negatives.
  • ·The vulnerable endpoint path includes the firmware version string as a prefix directory (18198580), which corresponds to version 1.8.19.8580; detection rules should account for this version-specific path segment.
  • ·The Nuclei template uses a base URL path without the version prefix (/cgi-bin/tsaupload.cgi), suggesting the endpoint may also be reachable without the version directory prefix.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:C/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.