8.8

CVE-2021-26828

Warnung
Exploit
OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ScadabrScadabr Version <= 0.9.1
   LinuxLinux Kernel Version-
ScadabrScadabr Version <= 1.12.4
   MicrosoftWindows Version-

03.12.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability

Schwachstelle

OpenPLC ScadaBR contains an unrestricted upload of file with dangerous type vulnerability that allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 39.36% 0.984
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 6.5 8 6.4
AV:N/AC:L/Au:S/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

http://forum.scadabr.com.br/t/report-falhas-de-seguranca-em-versoes-do-scadabr/3615/4
Vendor Advisory
Exploit
Broken Link
http://packetstormsecurity.com/files/162564/ScadaBR-1.0-1.1CE-Linux-Shell-Upload.html
Third Party Advisory
Exploit
https://youtu.be/k1teIStQr1A
Third Party Advisory
Exploit
https://github.com/SCADA-LTS/Scada-LTS/pull/2174
Patch
Issue Tracking
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-26828
US Government Resource