6.1

CVE-2021-27418

GE UR firmware versions prior to version 8.1x supports web interface with read-only access. The device fails to properly validate user input, making it possible to perform cross-site scripting attacks, which may be used to send a malicious script. Also, UR Firmware web server does not perform HTML encoding of user-supplied strings.

Data is provided by the National Vulnerability Database (NVD)
GeMultilin B30 Firmware Version < 8.10
   GeMultilin B30 Version-
GeMultilin B90 Firmware Version < 8.10
   GeMultilin B90 Version-
GeMultilin C60 Firmware Version < 8.10
   GeMultilin C60 Version-
GeMultilin C70 Firmware Version < 8.10
   GeMultilin C70 Version-
GeMultilin C95 Firmware Version < 8.10
   GeMultilin C95 Version-
GeMultilin D30 Firmware Version < 8.10
   GeMultilin D30 Version-
GeMultilin D60 Firmware Version < 8.10
   GeMultilin D60 Version-
GeMultilin F35 Firmware Version < 8.10
   GeMultilin F35 Version-
GeMultilin F60 Firmware Version < 8.10
   GeMultilin F60 Version-
GeMultilin G30 Firmware Version < 8.10
   GeMultilin G30 Version-
GeMultilin G60 Firmware Version < 8.10
   GeMultilin G60 Version-
GeMultilin L30 Firmware Version < 8.10
   GeMultilin L30 Version-
GeMultilin L60 Firmware Version < 8.10
   GeMultilin L60 Version-
GeMultilin L90 Firmware Version < 8.10
   GeMultilin L90 Version-
GeMultilin M60 Firmware Version < 8.10
   GeMultilin M60 Version-
GeMultilin N60 Firmware Version < 8.10
   GeMultilin N60 Version-
GeMultilin T35 Firmware Version < 8.10
   GeMultilin T35 Version-
GeMultilin T60 Firmware Version < 8.10
   GeMultilin T60 Version-
GeMultilin C30 Firmware Version < 8.10
   GeMultilin C30 Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.22% 0.446
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
ics-cert@hq.dhs.gov 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://www.cisa.gov/uscert/ics/advisories/icsa-21-075-02
Third Party Advisory
US Government Resource
Mitigation
https://www.gegridsolutions.com/Passport/Login.aspx
Vendor Advisory
Permissions Required