9.4
CVE-2022-2102
- EPSS 0.85%
- Veröffentlicht 24.06.2022 15:15:10
- Zuletzt bearbeitet 21.11.2024 07:00:19
- Quelle ics-cert@hq.dhs.gov
- CVE-Watchlists
- Unerledigt
LoginSecheron SEPCOS Control and Protection Relay
Controls limiting uploads to certain file extensions may be bypassed. This could allow an attacker to intercept the initial file upload page response and modify the associated code. This modified code can be forwarded and used by a script loaded later in the sequence, allowing for arbitrary file upload into a location where PHP scripts may be executed.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Secheron ≫ Sepcos Control And Protection Relay Firmware Version >= 1.23.0 < 1.23.21
Secheron ≫ Sepcos Control And Protection Relay Firmware Version >= 1.24.0 < 1.24.8
Secheron ≫ Sepcos Control And Protection Relay Firmware Version >= 1.25.0 < 1.25.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.85% | 0.532 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:N/I:P/A:N
|
| ics-cert@hq.dhs.gov | 9.4 | 3.9 | 5.5 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
|
CWE-434 Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-841 Improper Enforcement of Behavioral Workflow
The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.
https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03