Main Vulnerability Database Vulnerabilities #VU19158

#VU19158 Arbitrary file upload in Siemens products - CVE-2019-10935

Published: July 12, 2019

Vulnerability identifier: #VU19158

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-10935

CWE-ID: CWE-434

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
SIMATIC WinCC Professional
SIMATIC PCS 7
Siemens SIMATIC WinCC
SIMATIC WinCC Runtime Professional

Software vendor:
Siemens

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to insufficient validation of file uploads. A remote authenticated user with network access to the WinCC DataMonitor application can upload arbitrary ASPX code on the server.

The vulnerability is relevant only in situations where an attacker has access via the web interface but not to the directory structure.

Remediation

Install updates from vendor's website.

External links

https://cert-portal.siemens.com/productcert/pdf/ssa-121293.pdf

#VU19158 Arbitrary file upload in Siemens products - CVE-2019-10935

Description

Remediation

External links

Please verify you're human