Publication Date: 2022-01-11
Last Update: 2022-04-12
Current Version: V1.2
CVSS v3.1 Base Score: 8.8

Affected Product and Versions Remediation
COMOS V10.2:
All versions only if web components are used
Currently no fix is planned
See recommendations from section Workarounds and Mitigations
COMOS V10.3:
All versions < V10.3.3.3 only if web components are used
Update to V10.3.3.3 or later version
https://support.industry.siemens.com/cs/ww/en/view/109808862/
See further recommendations from section Workarounds and Mitigations
COMOS V10.3:
All versions >= V10.3.3.3 only if web components are used
only affected by CVE-2021-37196
Currently no fix is planned
See recommendations from section Workarounds and Mitigations
COMOS V10.4:
All versions < V10.4.1 only if web components are used
Update to V10.4.1 or later version
https://support.industry.siemens.com/cs/ww/en/view/109805632/
See further recommendations from section Workarounds and Mitigations

CVSS v3.1 Base Score 4.3
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C
CWE: CWE-434: Unrestricted Upload of File with Dangerous Type

CVSS v3.1 Base Score 7.7
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N/E:P/RL:O/RC:C
CWE: CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVSS v3.1 Base Score 6.5
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
CWE: CWE-23: Relative Path Traversal

CVSS v3.1 Base Score 8.8
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
CWE: CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

CVSS v3.1 Base Score 5.4
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
CWE: CWE-352: Cross-Site Request Forgery (CSRF)

https://www.siemens.com/cert/advisories