CVE-2021-37197

2022-01-1111:27:14

CWE-89

siemens

www.cve.org

comos

web component

sql injection

vulnerability

cve-2021-37197

AI Score

Confidence

High

EPSS

0.001

Percentile

33.2%

JSON

A vulnerability has been identified in COMOS V10.2 (All versions only if web components are used), COMOS V10.3 (All versions < V10.3.3.3 only if web components are used), COMOS V10.4 (All versions < V10.4.1 only if web components are used). The COMOS Web component of COMOS is vulnerable to SQL injections. This could allow an attacker to execute arbitrary SQL statements.

CNA Affected

[
  {
    "product": "COMOS V10.2",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "All versions only if web components are used"
      }
    ]
  },
  {
    "product": "COMOS V10.3",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "All versions < V10.3.3.3 only if web components are used"
      }
    ]
  },
  {
    "product": "COMOS V10.4",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "All versions < V10.4.1 only if web components are used"
      }
    ]
  }
]

References

cert-portal.siemens.com/productcert/pdf/ssa-995338.pdf