Details of VAR-202205-0929

ID

VAR-202205-0929

CVE

CVE-2022-29876

TITLE

Siemens SICAM P850 and SICAM P855 Devices Cross-Site Scripting Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2022-36395

DESCRIPTION

A vulnerability has been identified in SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P850 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00), SICAM P855 (All versions < V3.00). Affected devices do not properly handle the input of a GET request parameter. The provided argument is directly reflected in the web server response. This could allow an unauthenticated attacker to perform reflected XSS attacks. The SICAM P850 multifunctional measuring device is used to acquire, visualize, evaluate and transmit electrical measurement variables such as alternating current, alternating voltage, frequency, power, harmonics, etc. The SICAM P855 multifunction device is used to collect, display and transmit measured electrical variables such as AC current, AC voltage, power type, harmonics, etc. Measured values and events are collected and processed according to the power quality standard IEC 61000-4-30. Siemens SICAM P850 and SICAM P855

Trust: 1.53

sources: NVD: CVE-2022-29876 // CNVD: CNVD-2022-36395 // VULMON: CVE-2022-29876

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-36395

AFFECTED PRODUCTS

vendor:	siemens	model:	sicam p850	scope:	lt	version:	v3.00	Trust: 10.8
vendor:	siemens	model:	sicam p855	scope:	lt	version:	v3.00	Trust: 10.8
vendor:	siemens	model:	7kg8551-0aa32-2aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8500-0aa00-0aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8550-0aa00-0aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8500-0aa30-0aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8551-0aa01-0aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8550-0aa10-2aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8501-0aa02-2aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8551-0aa01-2aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8551-0aa02-0aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8501-0aa12-2aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8500-0aa30-2aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8551-0aa11-0aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8501-0aa01-2aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8550-0aa30-2aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8551-0aa31-2aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8551-0aa32-0aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8550-0aa10-0aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8500-0aa00-2aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8501-0aa11-0aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8500-0aa10-2aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8501-0aa01-0aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8501-0aa31-2aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8501-0aa12-0aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8551-0aa12-0aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8551-0aa02-2aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8501-0aa02-0aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8550-0aa00-2aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8551-0aa12-2aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8501-0aa11-2aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8551-0aa11-2aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8500-0aa10-0aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8501-0aa32-2aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8551-0aa31-0aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8501-0aa32-0aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8501-0aa31-0aa0	scope:	lt	version:	3.00	Trust: 1.0
vendor:	siemens	model:	7kg8550-0aa30-0aa0	scope:	lt	version:	3.00	Trust: 1.0

sources: CNVD: CNVD-2022-36395 // NVD: CVE-2022-29876

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-29876
value:	MEDIUM
Trust: 1.0
CNVD:	CNVD-2022-36395
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202205-3128
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2022-29876
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
CNVD:	CNVD-2022-36395
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2022-29876
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2022-36395 // CNNVD: CNNVD-202205-3128 // NVD: CVE-2022-29876

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.0

sources: NVD: CVE-2022-29876

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202205-3128

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202205-3128

PATCH

title:	Patch for Siemens SICAM P850 and SICAM P855 Devices Cross-Site Scripting Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/332531	Trust: 0.6
title:	Siemens SICAM Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=194233	Trust: 0.6

sources: CNVD: CNVD-2022-36395 // CNNVD: CNNVD-202205-3128

EXTERNAL IDS

db:	NVD	id:	CVE-2022-29876	Trust: 2.3
db:	SIEMENS	id:	SSA-165073	Trust: 2.2
db:	ICS CERT	id:	ICSA-22-132-07	Trust: 0.7
db:	CNVD	id:	CNVD-2022-36395	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.2357	Trust: 0.6
db:	CS-HELP	id:	SB2022051724	Trust: 0.6
db:	CNNVD	id:	CNNVD-202205-3128	Trust: 0.6
db:	VULMON	id:	CVE-2022-29876	Trust: 0.1

sources: CNVD: CNVD-2022-36395 // VULMON: CVE-2022-29876 // CNNVD: CNNVD-202205-3128 // NVD: CVE-2022-29876

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-165073.pdf	Trust: 1.6
url:	https://cert-portal.siemens.com/productcert/html/ssa-165073.html	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022051724	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-29876/	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-22-132-07	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.2357	Trust: 0.6
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-22-132-07	Trust: 0.1

sources: CNVD: CNVD-2022-36395 // VULMON: CVE-2022-29876 // CNNVD: CNNVD-202205-3128 // NVD: CVE-2022-29876

CREDITS

Michael Messner from Siemens Energy reported these vulnerabilities to Siemens.

Trust: 0.6

sources: CNNVD: CNNVD-202205-3128

SOURCES

db:	CNVD	id:	CNVD-2022-36395
db:	VULMON	id:	CVE-2022-29876
db:	CNNVD	id:	CNNVD-202205-3128
db:	NVD	id:	CVE-2022-29876

LAST UPDATE DATE

2024-11-23T21:50:29.839000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-36395	date:	2022-05-11T00:00:00
db:	CNNVD	id:	CNNVD-202205-3128	date:	2022-05-30T00:00:00
db:	NVD	id:	CVE-2022-29876	date:	2024-11-21T06:59:52.710

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-36395	date:	2022-05-11T00:00:00
db:	CNNVD	id:	CNNVD-202205-3128	date:	2022-05-12T00:00:00
db:	NVD	id:	CVE-2022-29876	date:	2022-05-20T13:15:16.083