CVE-2021-41950

high-risk

Published 2021-11-15

A directory traversal issue in ResourceSpace 9.6 before 9.6 rev 18277 allows remote unauthenticated attackers to delete arbitrary files on the ResourceSpace server via the provider and variant parameters in pages/ajax/tiles.php. Attackers can delete configuration or source code files, causing the application to become unavailable to all users.

Do I need to act?

32.3% chance of exploitation in next 30 days

EPSS score — higher than 68% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.1/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Resourcespace

Affected Vendors

Montala

References (4)

Broken Link http://svn.resourcespace.com/svn/rs/releases/9.6/pages/ajax/tiles.php

Exploit https://www.horizon3.ai/multiple-vulnerabilities-in-resourcespace/

Broken Link http://svn.resourcespace.com/svn/rs/releases/9.6/pages/ajax/tiles.php

Exploit https://www.horizon3.ai/multiple-vulnerabilities-in-resourcespace/

/ 100

high-risk

Severity 31/34 · Critical

Exploitability 16/34 · Moderate

Exposure 5/34 · Minimal