CVE-2021-33005
published 2022-05-13CVE-2021-33005: mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories.
PriorityP352high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
1.41%
69.4th percentile
mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| myscada | mypro | < 8.20.0 | 8.20.0 |
| myscada | mypro | >= unspecified < 8.20.0 | 8.20.0 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
mySCADA myPRO
cisa_ics·2021-08-05·CVSS 7.5
[HIGH] mySCADA myPRO
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
mySCADA myPRO
Last RevisedAugust 05, 2021
Alert CodeICSA-21-217-03
## 1. EXECUTIVE SUMMARY
- CVSS v3 X8.2
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: mySCADA
- Equipment: myPRO
- Vulnerabilities: Improper Access Control, Unrestricted Upload of File with Dangerous Type, Path Traversal, Exposure of Information Through Directory Listing
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow unauthorized users the ability to access sensitive information and upload arbitrary files.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODU
GHSA
GHSA-rr6g-rf3h-gh6x: mySCADA myPRO versions prior to 8
ghsa_unreviewed·2022-05-14
CVE-2021-33005 [HIGH] CWE-22 GHSA-rr6g-rf3h-gh6x: mySCADA myPRO versions prior to 8
mySCADA myPRO versions prior to 8.20.0 allows an unauthenticated remote attacker to upload arbitrary files to arbitrary directories.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-05-13
Published