ID

VAR-202201-0869


CVE

CVE-2021-37195


TITLE

COMOS  Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-002939

DESCRIPTION

A vulnerability has been identified in COMOS V10.2 (All versions only if web components are used), COMOS V10.3 (All versions < V10.3.3.3 only if web components are used), COMOS V10.4 (All versions < V10.4.1 only if web components are used). The COMOS Web component of COMOS accepts arbitrary code as attachment to tasks. This could allow an attacker to inject malicious code that is executed when loading the attachment. COMOS Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. Siemens Comos is a plant engineering software solution from Siemens AG in Germany. For the process industry

Trust: 1.71

sources: NVD: CVE-2021-37195 // JVNDB: JVNDB-2022-002939 // VULHUB: VHN-399026

AFFECTED PRODUCTS

vendor:siemensmodel:comosscope:eqversion:4.1

Trust: 1.0

vendor:siemensmodel:comosscope:gteversion:10.3

Trust: 1.0

vendor:siemensmodel:comosscope:lteversion:10.2

Trust: 1.0

vendor:siemensmodel:comosscope:ltversion:10.3.3.2.14

Trust: 1.0

vendor:シーメンスmodel:comosscope:eqversion: -

Trust: 0.8

vendor:シーメンスmodel:comosscope:eqversion:10.4 that's all 10.4.1

Trust: 0.8

vendor:シーメンスmodel:comosscope:eqversion:10.3 that's all 10.3.3.3

Trust: 0.8

vendor:シーメンスmodel:comosscope:eqversion:10.2

Trust: 0.8

sources: JVNDB: JVNDB-2022-002939 // NVD: CVE-2021-37195

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-37195
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-37195
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202201-866
value: MEDIUM

Trust: 0.6

VULHUB: VHN-399026
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2021-37195
severity: LOW
baseScore: 2.6
vectorString: AV:N/AC:H/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 4.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-399026
severity: LOW
baseScore: 2.6
vectorString: AV:N/AC:H/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 4.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-37195
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

NVD: CVE-2021-37195
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-399026 // JVNDB: JVNDB-2022-002939 // CNNVD: CNNVD-202201-866 // NVD: CVE-2021-37195

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.1

problemtype:CWE-80

Trust: 1.0

problemtype:Cross-site scripting (CWE-79) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-399026 // JVNDB: JVNDB-2022-002939 // NVD: CVE-2021-37195

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202201-866

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202201-866

PATCH

title:SSA-995338url:https://cert-portal.siemens.com/productcert/pdf/ssa-995338.pdf

Trust: 0.8

title:Siemens Comos Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=178727

Trust: 0.6

sources: JVNDB: JVNDB-2022-002939 // CNNVD: CNNVD-202201-866

EXTERNAL IDS

db:NVDid:CVE-2021-37195

Trust: 3.3

db:SIEMENSid:SSA-995338

Trust: 1.7

db:ICS CERTid:ICSA-22-013-05

Trust: 1.4

db:JVNid:JVNVU98508242

Trust: 0.8

db:JVNDBid:JVNDB-2022-002939

Trust: 0.8

db:CNNVDid:CNNVD-202201-866

Trust: 0.7

db:CS-HELPid:SB2022011801

Trust: 0.6

db:AUSCERTid:ESB-2022.0602

Trust: 0.6

db:CNVDid:CNVD-2022-02747

Trust: 0.1

db:VULHUBid:VHN-399026

Trust: 0.1

sources: VULHUB: VHN-399026 // JVNDB: JVNDB-2022-002939 // CNNVD: CNNVD-202201-866 // NVD: CVE-2021-37195

REFERENCES

url:https://cert-portal.siemens.com/productcert/pdf/ssa-995338.pdf

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-37195

Trust: 1.4

url:https://jvn.jp/vu/jvnvu98508242/index.html

Trust: 0.8

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-013-05

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2022011801

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-013-05

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.0602

Trust: 0.6

sources: VULHUB: VHN-399026 // JVNDB: JVNDB-2022-002939 // CNNVD: CNNVD-202201-866 // NVD: CVE-2021-37195

CREDITS

Sandro Poppi reported these vulnerabilities to Siemens.

Trust: 0.6

sources: CNNVD: CNNVD-202201-866

SOURCES

db:VULHUBid:VHN-399026
db:JVNDBid:JVNDB-2022-002939
db:CNNVDid:CNNVD-202201-866
db:NVDid:CVE-2021-37195

LAST UPDATE DATE

2024-08-14T12:12:09.130000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-399026date:2022-04-29T00:00:00
db:JVNDBid:JVNDB-2022-002939date:2023-01-31T02:12:00
db:CNNVDid:CNNVD-202201-866date:2022-05-05T00:00:00
db:NVDid:CVE-2021-37195date:2022-04-29T19:00:54.787

SOURCES RELEASE DATE

db:VULHUBid:VHN-399026date:2022-01-11T00:00:00
db:JVNDBid:JVNDB-2022-002939date:2023-01-31T00:00:00
db:CNNVDid:CNNVD-202201-866date:2022-01-11T00:00:00
db:NVDid:CVE-2021-37195date:2022-01-11T12:15:09.800