Details of VAR-202201-0869

ID

VAR-202201-0869

CVE

CVE-2021-37195

TITLE

COMOS Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-002939

DESCRIPTION

A vulnerability has been identified in COMOS V10.2 (All versions only if web components are used), COMOS V10.3 (All versions < V10.3.3.3 only if web components are used), COMOS V10.4 (All versions < V10.4.1 only if web components are used). The COMOS Web component of COMOS accepts arbitrary code as attachment to tasks. This could allow an attacker to inject malicious code that is executed when loading the attachment. COMOS Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. Siemens Comos is a plant engineering software solution from Siemens AG in Germany. For the process industry

Trust: 1.71

sources: NVD: CVE-2021-37195 // JVNDB: JVNDB-2022-002939 // VULHUB: VHN-399026

AFFECTED PRODUCTS

vendor:	siemens	model:	comos	scope:	eq	version:	4.1	Trust: 1.0
vendor:	siemens	model:	comos	scope:	gte	version:	10.3	Trust: 1.0
vendor:	siemens	model:	comos	scope:	lte	version:	10.2	Trust: 1.0
vendor:	siemens	model:	comos	scope:	lt	version:	10.3.3.2.14	Trust: 1.0
vendor:	シーメンス	model:	comos	scope:	eq	version:	-	Trust: 0.8
vendor:	シーメンス	model:	comos	scope:	eq	version:	10.4 that's all 10.4.1	Trust: 0.8
vendor:	シーメンス	model:	comos	scope:	eq	version:	10.3 that's all 10.3.3.3	Trust: 0.8
vendor:	シーメンス	model:	comos	scope:	eq	version:	10.2	Trust: 0.8

sources: JVNDB: JVNDB-2022-002939 // NVD: CVE-2021-37195

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-37195
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-37195
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202201-866
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-399026
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2021-37195
severity:	LOW
baseScore:	2.6
vectorString:	AV:N/AC:H/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	4.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-399026
severity:	LOW
baseScore:	2.6
vectorString:	AV:N/AC:H/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	4.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-37195
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2021-37195
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-399026 // JVNDB: JVNDB-2022-002939 // CNNVD: CNNVD-202201-866 // NVD: CVE-2021-37195

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.1
problemtype:	CWE-80	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-399026 // JVNDB: JVNDB-2022-002939 // NVD: CVE-2021-37195

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202201-866

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202201-866

PATCH

title:	SSA-995338	url:	https://cert-portal.siemens.com/productcert/pdf/ssa-995338.pdf	Trust: 0.8
title:	Siemens Comos Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=178727	Trust: 0.6

sources: JVNDB: JVNDB-2022-002939 // CNNVD: CNNVD-202201-866

EXTERNAL IDS

db:	NVD	id:	CVE-2021-37195	Trust: 3.3
db:	SIEMENS	id:	SSA-995338	Trust: 1.7
db:	ICS CERT	id:	ICSA-22-013-05	Trust: 1.4
db:	JVN	id:	JVNVU98508242	Trust: 0.8
db:	JVNDB	id:	JVNDB-2022-002939	Trust: 0.8
db:	CNNVD	id:	CNNVD-202201-866	Trust: 0.7
db:	CS-HELP	id:	SB2022011801	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.0602	Trust: 0.6
db:	CNVD	id:	CNVD-2022-02747	Trust: 0.1
db:	VULHUB	id:	VHN-399026	Trust: 0.1

sources: VULHUB: VHN-399026 // JVNDB: JVNDB-2022-002939 // CNNVD: CNNVD-202201-866 // NVD: CVE-2021-37195

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-995338.pdf	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-37195	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu98508242/index.html	Trust: 0.8
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-22-013-05	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2022011801	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-22-013-05	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.0602	Trust: 0.6

sources: VULHUB: VHN-399026 // JVNDB: JVNDB-2022-002939 // CNNVD: CNNVD-202201-866 // NVD: CVE-2021-37195

CREDITS

Sandro Poppi reported these vulnerabilities to Siemens.

Trust: 0.6

sources: CNNVD: CNNVD-202201-866

SOURCES

db:	VULHUB	id:	VHN-399026
db:	JVNDB	id:	JVNDB-2022-002939
db:	CNNVD	id:	CNNVD-202201-866
db:	NVD	id:	CVE-2021-37195

LAST UPDATE DATE

2024-08-14T12:12:09.130000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-399026	date:	2022-04-29T00:00:00
db:	JVNDB	id:	JVNDB-2022-002939	date:	2023-01-31T02:12:00
db:	CNNVD	id:	CNNVD-202201-866	date:	2022-05-05T00:00:00
db:	NVD	id:	CVE-2021-37195	date:	2022-04-29T19:00:54.787

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-399026	date:	2022-01-11T00:00:00
db:	JVNDB	id:	JVNDB-2022-002939	date:	2023-01-31T00:00:00
db:	CNNVD	id:	CNNVD-202201-866	date:	2022-01-11T00:00:00
db:	NVD	id:	CVE-2021-37195	date:	2022-01-11T12:15:09.800