SQL Injection Vulnerability in COMOS Web Components by Siemens
CVE-2021-37197

8.8HIGH

Key Information:

Vendor: Siemens
Status: Comos V10.2; Comos V10.3; Comos V10.4
Vendor: CVE Published:; 11 January 2022

Summary

A vulnerability exists in the web components of Siemens COMOS, affecting version V10.2 and certain earlier versions of V10.3 and V10.4. This security flaw allows an attacker to perform SQL injection, potentially enabling unauthorized execution of SQL commands against the database. Such exploitation could lead to unauthorized data access or even manipulation, posing significant risks to system integrity and confidentiality. Users of the affected versions are strongly encouraged to implement security measures to safeguard their systems against such threats.

Affected Version(s)

COMOS V10.2 All versions only if web components are used

COMOS V10.3 All versions < V10.3.3.3 only if web components are used

COMOS V10.4 All versions < V10.4.1 only if web components are used

References

https://cert-portal.siemens.com/productcert/pdf/ssa-99533...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 11, 2022
Vulnerability Reserved
Jul 21, 2021