Web Component Code Injection Vulnerability in Siemens COMOS Software
CVE-2021-37195

6.1MEDIUM

Key Information:

Vendor: Siemens
Status: Comos V10.2; Comos V10.3; Comos V10.4
Vendor: CVE Published:; 11 January 2022

What is CVE-2021-37195?

The COMOS software's web component allows users to attach files to tasks, but it suffers from a vulnerability that permits the injection of arbitrary code. This can lead to the execution of malicious code whenever an attachment is opened, posing a significant security risk to users unknowingly executing compromised files.

Affected Version(s)

COMOS V10.2 All versions only if web components are used

COMOS V10.3 All versions < V10.3.3.3 only if web components are used

COMOS V10.4 All versions < V10.4.1 only if web components are used

References

https://cert-portal.siemens.com/productcert/pdf/ssa-99533...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 11, 2022
Vulnerability Reserved
Jul 21, 2021