CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-40356
https://notcve.org/view.php?id=CVE-2021-40356
A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.8), Teamcenter V13.0 (All versions < V13.0.0.7), Teamcenter V13.1 (All versions < V13.1.0.5), Teamcenter V13.2 (All versions < 13.2.0.2). The application contains a XML External Entity Injection (XXE) vulnerability. This could allow an attacker to view files on the application server filesystem. Se ha identificado una vulnerabilidad en Teamcenter versión V12.4 (Todas las versiones anteriores a V12.4.0.8), Teamcenter versión V13.0 (Todas las versiones anteriores a V13.0.0.7), Teamcenter versión V13.1 (Todas las versiones anteriores a V13.1.0.5), Teamcenter versión V13.2 (Todas las versiones anteriores a 13.2.0.2). La aplicación contiene una vulnerabilidad de tipo XML External Entity Injection (XXE). • https://cert-portal.siemens.com/productcert/pdf/ssa-987403.pdf • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2021-40355
https://notcve.org/view.php?id=CVE-2021-40355
A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.8), Teamcenter V13.0 (All versions < V13.0.0.7), Teamcenter V13.1 (All versions < V13.1.0.5), Teamcenter V13.2 (All versions < 13.2.0.2). The affected application contains Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to use user-supplied input to access objects directly. Se ha identificado una vulnerabilidad en Teamcenter versión V12.4 (Todas las versiones anteriores a V12.4.0.8), Teamcenter versión V13.0 (Todas las versiones anteriores a V13.0.0.7), Teamcenter versión V13.1 (Todas las versiones anteriores a V13.1.0.5), Teamcenter versión V13.2 (Todas las versiones anteriores a 13.2.0.2). La aplicación afectada contiene una vulnerabilidad de Direct Object Reference (IDOR) que permite a un atacante usar la entrada suministrada por el usuario para acceder directamente a los objetos • https://cert-portal.siemens.com/productcert/pdf/ssa-987403.pdf • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2021-40354
https://notcve.org/view.php?id=CVE-2021-40354
A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.8), Teamcenter V13.0 (All versions < V13.0.0.7), Teamcenter V13.1 (All versions < V13.1.0.5), Teamcenter V13.2 (All versions < 13.2.0.2). The "surrogate" functionality on the user profile of the application does not perform sufficient access control that could lead to an account takeover. Any profile on the application can perform this attack and access any other user assigned tasks via the "inbox/surrogate tasks". Se ha identificado una vulnerabilidad en Teamcenter versión V12.4 (Todas las versiones anteriores a V12.4.0.8), Teamcenter versión V13.0 (Todas las versiones anteriores a V13.0.0.7), Teamcenter versión V13.1 (Todas las versiones anteriores a V13.1.0.5), Teamcenter versión V13.2 (Todas las versiones anteriores a 13.2.0.2). La funcionalidad "surrogate" en el perfil de usuario de la aplicación no lleva acabo un control de acceso suficiente que podría conllevar a una toma de posesión de la cuenta. • https://cert-portal.siemens.com/productcert/pdf/ssa-987403.pdf • CWE-267: Privilege Defined With Unsafe Actions CWE-269: Improper Privilege Management •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-33738 – Siemens JT2Go PAR File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2021-33738
A vulnerability has been identified in JT2Go (All versions < V13.2.0.2), Teamcenter Visualization (All versions < V13.2.0.2). The plmxmlAdapterSE70.dll library in affected applications lacks proper validation of user-supplied data when parsing PAR files. This could result in an out of bounds read past the end of an allocated buffer. An attacker could leverage this vulnerability to leak information in the context of the current process. (ZDI-CAN-13405) Se ha identificado una vulnerabilidad en JT2Go (Todas las versiones anteriores a V13.2.0.2), Teamcenter Visualization (Todas las versiones anteriores a V13.2.0.2). • https://cert-portal.siemens.com/productcert/pdf/ssa-938030.pdf https://www.zerodayinitiative.com/advisories/ZDI-21-981 • CWE-125: Out-of-bounds Read •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-33717
https://notcve.org/view.php?id=CVE-2021-33717
A vulnerability has been identified in JT2Go (All versions < V13.2.0.1), Teamcenter Visualization (All versions < V13.2.0.1). When parsing specially crafted CGM Files, a NULL pointer deference condition could cause the application to crash. The application must be restarted to restore the service. An attacker could leverage this vulnerability to cause a Denial-of-Service condition in the application. Se ha identificado una vulnerabilidad en JT2Go (Todas las versiones anteriores a V13.2.0.1), Teamcenter Visualization (Todas las versiones anteriores a V13.2.0.1). • https://cert-portal.siemens.com/productcert/pdf/ssa-365397.pdf • CWE-476: NULL Pointer Dereference •