CVE-2021-27418 Information

Description

GE UR firmware versions prior to version 8.1x supports web interface with read-only access. The device fails to properly validate user input making it possible to perform cross-site scripting attacks which may be used to send a malicious script. Also UR Firmware web server does not perform HTML encoding of user-supplied strings.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

https://www.cisa.gov/uscert/ics/advisories/icsa-21-075-02 https://www.gegridsolutions.com/Passport/Login.aspx

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1