Lucene search

IcscertCVELIST:CVE-2021-27418

HistoryMar 23, 2022 - 7:46 p.m.

CVE-2021-27418 GE UR family input validation

2022-03-2319:46:23

CWE-20

icscert

www.cve.org

family

input

validation

cve-2021-27418

firmware

web interface

cross-site scripting

attacks

malicious script

html encoding

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

41.5%

JSON

GE UR firmware versions prior to version 8.1x supports web interface with read-only access. The device fails to properly validate user input, making it possible to perform cross-site scripting attacks, which may be used to send a malicious script. Also, UR Firmware web server does not perform HTML encoding of user-supplied strings.

CNA Affected

[
  {
    "product": "UR family",
    "vendor": "GE",
    "versions": [
      {
        "lessThan": "8.1x",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

www.cisa.gov/uscert/ics/advisories/icsa-21-075-02

www.gegridsolutions.com/Passport/Login.aspx

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

41.5%

JSON

Related for CVELIST:CVE-2021-27418