A vulnerability has been identified in Spectrum Power 4 (All versions using Shared HIS), Spectrum Power 7 (All versions using Shared HIS), Spectrum Power MGMS (All versions using Shared HIS). An unauthenticated attacker could log into the component Shared HIS used in Spectrum Power systems by using an account with default credentials. A successful exploitation could allow the attacker to access the component Shared HIS with administrative privileges.
siemens:spectrum_power_microgrid_management_system siemens:spectrum_power_7 siemens:spectrum_power_4
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
siemens:simatic_wincc siemens:solid_edge_wiring_harness_design intel:system_debugger intel:secure_device_onboard intel:oneapi siemens:siveillance_vantage siemens:dynamic_security_assessment netapp:brocade_san_navigator fedoraproject:fedora siemens:siveillance_command siemens:industrial_edge_management siemens:gma-manager apache:log4j netapp:cloud_insights_acquisition_unit siemens:xpedition_package_integrator siemens:siveillance_control siemens:siveillance_identity netapp:cloud_manager siemens:desigo_consumption_control_advanced_reporting siemens:e-car_operating_center siemens:head-end_system_universal_device_integration_system siemens:xpedition_enterprise_data_management siemens:mindsphere siemens:nx siemens:opcenter_intelligence siemens:mendix netapp:cloud_secure_agent netapp:oncommand_insight siemens:vesys arubanetworks:silver_peak_orchestrator netapp:snapcenter siemens:energyip_prepay intel:audio_development_kit siemens:sipass_integrated siemens:teamcenter_suite siemens:operation_scheduler siemens:desigo_consumption_control_info_center netapp:ontap_tools siemens:industrial_edge_manangement_hub debian:debian_linux siemens:logo\!_soft_comfort siemens:cosmos siemens:spectrum_power_4 intel:datacenter_manager siemens:spectrum_power_7 siemens:capital
A vulnerability has been identified in Spectrum Power 3 (Corporate User Interface) (All versions <= v3.11), Spectrum Power 4 (Corporate User Interface) (Version v4.75), Spectrum Power 5 (Corporate User Interface) (All versions <= v5.50), Spectrum Power 7 (Corporate User Interface) (All versions <= v2.20). The web server could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link. User interaction is required for a successful exploitation. The user does not need to be logged into the web interface in order for the exploitation to succeed. At the stage of publishing this security advisory no public exploitation is known.
siemens:spectrum_power_5 siemens:spectrum_power_7 siemens:spectrum_power_3 siemens:spectrum_power_4