CVE-2021-27197

high

Description

DSUtility.dll in Pelco Digital Sentry Server before 7.19.67 has an arbitrary file write vulnerability. The AppendToTextFile method doesn't check if it's being called from the application or from a malicious user. The vulnerability is triggered when a remote attacker crafts an HTML page (e.g., with "OBJECT classid=" and "<SCRIPT language='vbscript'>") to overwrite arbitrary files.

References

https://support.pelco.com/s/article/What-is-the-Digital-Sentry-software-release-revision-history

https://github.com/vitorespf/Advisories/blob/master/Pelco_Digital_Sentry_Server_AFW.txt

Details

Source: Mitre, NVD

Published: 2021-02-12

Updated: 2026-06-17

Risk Information

CVSS v2

Base Score: 8.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:C/A:C

Severity: High

CVSS v3

Base Score: 8.1

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Severity: High

EPSS

EPSS: 0.00295