CVE-2021-40335 - OpenCVE

Vendors	Products
Hitachienergy	Modular Switchgear Monitoring Modular Switchgear Monitoring Firmware

Link	Providers
https://search.abb.com/library/Download.aspx?DocumentID=8DBD000085&LanguageCode=en&DocumentPartId=&Action=Launch

{"containers": {"cna": {"affected": [{"product": "MSM", "vendor": "Hitachi Energy", "versions": [{"lessThanOrEqual": "V2.2", "status": "affected", "version": "v2.2", "versionType": "custom"}]}], "datePublic": "2022-07-12T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability exists in the HTTP web interface where the web interface does not sufficiently verify if a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. This cause a Cross Site Request Forgery (CSRF), which if exploited could lead an attacker to gain unauthorized access to the web application and perform an unwanted operation on it without the knowledge of the legitimate user. An attacker, who successfully makes an MSM user who has already established a session to MSM web interface clicks a forged link to the MSM web interface, e.g., link is sent per E-Mail, could perform harmful command on MSM through its web server interface. This issue affects: Hitachi Energy MSM V2.2 and prior versions."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-25T14:32:14", "orgId": "e383dce4-0c27-4495-91c4-0db157728d17", "shortName": "Hitachi Energy"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000085&LanguageCode=en&DocumentPartId=&Action=Launch"}], "source": {"discovery": "INTERNAL"}, "title": "Cross Site Request Forgery (CSRF) in Hitachi Energy\u2019s MSM Product", "workarounds": [{"lang": "en", "value": "Apply mitigation strategy as described in Mitigation Factors Section in the advisory."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cybersecurity@hitachienergy.com", "DATE_PUBLIC": "2022-07-12T14:30:00.000Z", "ID": "CVE-2021-40335", "STATE": "PUBLIC", "TITLE": "Cross Site Request Forgery (CSRF) in Hitachi Energy\u2019s MSM Product"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MSM", "version": {"version_data": [{"version_affected": "<=", "version_name": "v2.2", "version_value": "V2.2"}]}}]}, "vendor_name": "Hitachi Energy"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability exists in the HTTP web interface where the web interface does not sufficiently verify if a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. This cause a Cross Site Request Forgery (CSRF), which if exploited could lead an attacker to gain unauthorized access to the web application and perform an unwanted operation on it without the knowledge of the legitimate user. An attacker, who successfully makes an MSM user who has already established a session to MSM web interface clicks a forged link to the MSM web interface, e.g., link is sent per E-Mail, could perform harmful command on MSM through its web server interface. This issue affects: Hitachi Energy MSM V2.2 and prior versions."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}]}, "references": {"reference_data": [{"name": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000085&LanguageCode=en&DocumentPartId=&Action=Launch", "refsource": "CONFIRM", "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000085&LanguageCode=en&DocumentPartId=&Action=Launch"}]}, "source": {"discovery": "INTERNAL"}, "work_around": [{"lang": "en", "value": "Apply mitigation strategy as described in Mitigation Factors Section in the advisory."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T02:27:31.911Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000085&LanguageCode=en&DocumentPartId=&Action=Launch"}]}]}, "cveMetadata": {"assignerOrgId": "e383dce4-0c27-4495-91c4-0db157728d17", "assignerShortName": "Hitachi Energy", "cveId": "CVE-2021-40335", "datePublished": "2022-07-25T14:32:14.467555Z", "dateReserved": "2021-08-31T00:00:00", "dateUpdated": "2024-09-16T23:40:51.199Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:hitachienergy:modular_switchgear_monitoring:-:*:*:*:*:*:*:*", "matchCriteriaId": "6CBD92D1-045F-44D8-99B1-12C28B0271F9", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:hitachienergy:modular_switchgear_monitoring_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "105E197F-5BCD-445C-B20B-294619685EC5", "versionEndIncluding": "2.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability exists in the HTTP web interface where the web interface does not sufficiently verify if a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. This cause a Cross Site Request Forgery (CSRF), which if exploited could lead an attacker to gain unauthorized access to the web application and perform an unwanted operation on it without the knowledge of the legitimate user. An attacker, who successfully makes an MSM user who has already established a session to MSM web interface clicks a forged link to the MSM web interface, e.g., link is sent per E-Mail, could perform harmful command on MSM through its web server interface. This issue affects: Hitachi Energy MSM V2.2 and prior versions."}, {"lang": "es", "value": "Se presenta una vulnerabilidad en la interfaz web HTTP en la que la interfaz web no comprueba suficientemente si una petici\u00f3n bien formada, v\u00e1lida y coherente fue proporcionada intencionalmente por el usuario que envi\u00f3 la petici\u00f3n. Esto causa una vulnerabilidad de tipo Cross Site Request Forgery (CSRF), que si es explotada podr\u00eda conllevar a un atacante a obtener acceso no autorizado a la aplicaci\u00f3n web y llevar a cabo una operaci\u00f3n no deseada en ella sin el conocimiento del usuario leg\u00edtimo. Un atacante, que logra que un usuario de MSM que ya ha establecido una sesi\u00f3n con la interfaz web de MSM haga clic en un enlace falsificado a la interfaz web de MSM, por ejemplo, el enlace es enviado por correo electr\u00f3nico, podr\u00eda llevar a cabo un comando da\u00f1ino en MSM mediante su interfaz de servidor web. Este problema afecta a: Hitachi Energy MSM versiones V2.2 y versiones anteriores"}], "id": "CVE-2021-40335", "lastModified": "2023-04-19T15:32:25.210", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.4, "source": "cybersecurity@hitachienergy.com", "type": "Secondary"}]}, "published": "2022-07-25T15:15:09.173", "references": [{"source": "cybersecurity@hitachienergy.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000085&LanguageCode=en&DocumentPartId=&Action=Launch"}], "sourceIdentifier": "cybersecurity@hitachienergy.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-352"}], "source": "cybersecurity@hitachienergy.com", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object