CVE-2021-37195: XSS
First published: Tue Jan 11 2022(Updated: )
A vulnerability has been identified in COMOS V10.2 (All versions only if web components are used), COMOS V10.3 (All versions < V10.3.3.3 only if web components are used), COMOS V10.4 (All versions < V10.4.1 only if web components are used). The COMOS Web component of COMOS accepts arbitrary code as attachment to tasks. This could allow an attacker to inject malicious code that is executed when loading the attachment.
Credit: productcert@siemens.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Siemens COMOS | <=10.2 | |
| Siemens COMOS | >=10.3<10.3.3.2.14 | |
| Siemens COMOS | =4.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2021-37195?
CVE-2021-37195 is a vulnerability in the COMOS web component that allows for the execution of arbitrary code.
Which software versions are affected by CVE-2021-37195?
COMOS V10.2, COMOS V10.3 (versions < V10.3.3.3), and COMOS V10.4 (versions < V10.4.1) are affected by CVE-2021-37195 if web components are used.
What is the severity of CVE-2021-37195?
CVE-2021-37195 has a severity value of 6.1 (medium).
How can I fix CVE-2021-37195?
To fix CVE-2021-37195, it is recommended to update to the latest version of COMOS and ensure that web components are not used.
What are the references for CVE-2021-37195?
The reference for CVE-2021-37195 is available at https://cert-portal.siemens.com/productcert/pdf/ssa-995338.pdf.
- collector/nvd-index
- vendor/siemens
- canonical/siemens comos
- version/siemens comos/10.2
- version/siemens comos/10.3
- version/siemens comos/4.1