CVE-2021-45967

CRITICAL EXPLOITED NUCLEI

Pascom Cloud Phone System <7.20.x - Path Traversal

Title source: llm

Description

An issue was discovered in Pascom Cloud Phone System before 7.20.x. A configuration error between NGINX and a backend Tomcat server leads to a path traversal in the Tomcat server, exposing unintended endpoints.

Nuclei Templates (1)

Pascom CPS Server-Side Request Forgery

CRITICALby dwisiswant0

References (4)

[Release Notes, Vendor Advisory] https://www.pascom.net/doc/en/release-notes/

[Release Notes, Vendor Advisory] https://www.pascom.net/doc/en/release-notes/pascom19/

[Exploit, Patch, Third Party Advisory] https://kerbit.io/research/read/blog/4

[Exploit, Patch, Third Party Advisory] https://tutorialboy24.blogspot.com/2022/03/the-story-of-3-bugs-that-lead-to.html

Scores

CVSS v3 9.8

EPSS 0.9262

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2024-01-22

CWE

CWE-22

Status published

Products (3)

igniterealtime/openfire 4.5.0

igniterealtime/openfire < 4.5.0

pascom/cloud_phone_system < 7.19

Published Mar 18, 2022

Tracked Since Feb 18, 2026