9.8

CVE-2021-22646

The “ipk” package containing the configuration created by TWinSoft can be uploaded, extracted, and executed in Ovarro TBox, allowing malicious code execution.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OvarroTwinsoft Version < 12.4
OvarroTbox Lt2-530 Firmware Version < 1.46
   OvarroTbox Lt2-530 Version-
OvarroTbox Lt2-532 Firmware Version < 1.46
   OvarroTbox Lt2-532 Version-
OvarroTbox Lt2-540 Firmware Version < 1.46
   OvarroTbox Lt2-540 Version-
OvarroTbox Ms-cpu32 Firmware Version < 1.46
   OvarroTbox Ms-cpu32 Version-
OvarroTbox Ms-cpu32-s2 Firmware Version < 1.46
   OvarroTbox Ms-cpu32-s2 Version-
OvarroTbox Rm2 Firmware Version < 1.46
   OvarroTbox Rm2 Version-
OvarroTbox Tg2 Firmware Version < 1.46
   OvarroTbox Tg2 Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.99% 0.764
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ics-cert@hq.dhs.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://www.cisa.gov/uscert/ics/advisories/icsa-21-054-04
Third Party Advisory
US Government Resource