Описание
The CIMPLICITY Web-based access component, CimWebServer, does not check the location of shell files being loaded into the system. By modifying the source location, an attacker could send shell code to the CimWebServer which would deploy the nefarious files as part of any SCADA project. This could allow the attacker to execute arbitrary code.
Ссылки
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 8.2 (включая)
Одно из
cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\%2fscada_cimplicity:*:sim24:*:*:*:*:*:*
cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\/scada_cimplicity:4.01:*:*:*:*:*:*:*
cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\/scada_cimplicity:7.5:*:*:*:*:*:*:*
cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\/scada_cimplicity:8.0:*:*:*:*:*:*:*
cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\/scada_cimplicity:8.1:*:*:*:*:*:*:*
cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\/scada_cimplicity:8.2:*:*:*:*:*:*:*
cpe:2.3:a:ge:intelligent_platforms_proficy_process_systems_with_cimplicity:-:*:*:*:*:*:*:*
EPSS
Процентиль: 78%
0.01174
Низкий
6.8 Medium
CVSS2
7.5 High
CVSS2
Дефекты
CWE-22
CWE-22
Связанные уязвимости
github
больше 3 лет назад
Directory traversal vulnerability in CimWebServer.exe (aka the WebView component) in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY before 8.2 SIM 24, and Proficy Process Systems with CIMPLICITY, allows remote attackers to execute arbitrary code via a crafted message to TCP port 10212, aka ZDI-CAN-1623.
EPSS
Процентиль: 78%
0.01174
Низкий
6.8 Medium
CVSS2
7.5 High
CVSS2
Дефекты
CWE-22
CWE-22