CVE-2022-2105

EUVD-2022-34393
Client-side JavaScript controls may be bypassed to change user credentials and permissions without authentication, including a “root” user level meant only for the vendor. Web server root level access allows for changing of safety critical parameters.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.4 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
icscertCNA
9.4 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 42%
Affected Products (NVD)
VendorProductVersion
secheronsepcos_control_and_protection_relay_firmware
1.23.0 ≤
𝑥
< 1.23.21
secheronsepcos_control_and_protection_relay_firmware
1.24.0 ≤
𝑥
< 1.24.8
secheronsepcos_control_and_protection_relay_firmware
1.25.0 ≤
𝑥
< 1.25.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03
https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03