Siemens COMOS up to 10.4.0 Web sql injection

Summaryinfo

A vulnerability, which was classified as critical, has been found in Siemens COMOS up to 10.4.0. The affected element is an unknown function of the component Web. This manipulation causes sql injection. The identification of this vulnerability is CVE-2021-37197. It is possible to initiate the attack remotely. There is no exploit available. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability classified as critical was found in Siemens COMOS up to 10.4.0. Affected by this vulnerability is an unknown functionality of the component Web. The manipulation with an unknown input leads to a sql injection vulnerability. The CWE definition for the vulnerability is CWE-89. The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. As an impact it is known to affect confidentiality, integrity, and availability.

The weakness was shared 01/11/2022 as ssa-995338. The advisory is shared at cert-portal.siemens.com. This vulnerability is known as CVE-2021-37197 since 07/21/2021. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1505 for this issue.

Upgrading to version 10.4.1 eliminates this vulnerability.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Vendor

• Siemens

Name

• COMOS

Version

• 10.0
• 10.1
• 10.2
• 10.3
• 10.4.0

License

• commercial

Website

• Vendor: https://www.siemens.com/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion