CVE-2021-37194 — Unrestricted File Upload in Siemens Comos

CWE-434 — Unrestricted File Upload3 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 52.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Siemens Comos Siemens Comos V10.2 Siemens Comos V10.3 +1 more

Timeline

PublishedFeb 9

Latest updateFeb 10

Description

A vulnerability has been identified in COMOS V10.2 (All versions only if web components are used), COMOS V10.3 (All versions < V10.3.3.3 only if web components are used), COMOS V10.4 (All versions < V10.4.1 only if web components are used). The COMOS Web component of COMOS allows to upload and store arbitrary files at the webserver. This could allow an attacker to store malicious files.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDsiemens/comos10.3 — 10.3.3.3+2

▶CVEListV5siemens/comos_v10.2All versions only if web components are used

▶CVEListV5siemens/comos_v10.3All versions < V10.3.3.3 only if web components are used

▶CVEListV5siemens/comos_v10.4All versions < V10.4.1 only if web components are used

Patches

Patch: cert-portal.siemens.com ↗Patch: cert-portal.siemens.com ↗

🔴Vulnerability Details

GHSA

GHSA-3pr9-fm6f-mq6g: A vulnerability has been identified in COMOS V10↗2022-02-10

▶

CVEList

CVE-2021-37194: A vulnerability has been identified in COMOS V10↗2022-02-09

▶