CVE-2021-37195Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Siemens Comos

CWE-80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)CWE-79Cross-site Scripting3 documents3 sources
Severity
6.1MEDIUMNVD
EPSS
0.3%
top 45.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Siemens ComosSiemens Comos V10.2Siemens Comos V10.3+1 more
Timeline
PublishedJan 11
Latest updateFeb 10

Description

A vulnerability has been identified in COMOS V10.2 (All versions only if web components are used), COMOS V10.3 (All versions < V10.3.3.3 only if web components are used), COMOS V10.4 (All versions < V10.4.1 only if web components are used). The COMOS Web component of COMOS accepts arbitrary code as attachment to tasks. This could allow an attacker to inject malicious code that is executed when loading the attachment.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

NVDsiemens/comos10.310.3.3.2.14+2
CVEListV5siemens/comos_v10.2All versions only if web components are used
CVEListV5siemens/comos_v10.3All versions < V10.3.3.3 only if web components are used
CVEListV5siemens/comos_v10.4All versions < V10.4.1 only if web components are used

Patches

Patch: cert-portal.siemens.comPatch: cert-portal.siemens.com

🔴Vulnerability Details

2
GHSA
GHSA-2w4f-8m3p-jrxr: A vulnerability has been identified in COMOS (All versions < V102022-02-10
CVEList
CVE-2021-37195: A vulnerability has been identified in COMOS V102022-01-11
CVE-2021-37195 — Siemens Comos vulnerability | cvebase