CVE-2021-27418

GE UR family input validation

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

GE UR firmware versions prior to version 8.1x supports web interface with read-only access. The device fails to properly validate user input, making it possible to perform cross-site scripting attacks, which may be used to send a malicious script. Also, UR Firmware web server does not perform HTML encoding of user-supplied strings.

GE UR versiones de firmware anteriores a versión 8.1x, admiten la interfaz web con acceso de sólo lectura. El dispositivo no comprueba correctamente la entrada del usuario, haciendo posible llevar a cabo ataques de tipo cross-site scripting, que pueden ser usados para enviar un script malicioso. Además, el servidor web de UR Firmware no lleva a cabo la codificación HTML de las cadenas suministradas por el usuario

*Credits: SCADA-X, DOE’s Cyber Testing for Resilient Industrial Control Systems (CyTRICS) program, Verve Industrial, and VuMetric reported these vulnerabilities to GE.

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-02-19 CVE Reserved
2022-03-23 CVE Published
2024-08-03 CVE Updated
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (1)

URL	Tag	Source
https://www.cisa.gov/uscert/ics/advisories/icsa-21-075-02	Mitigation

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Ge Search vendor "Ge"	Multilin B30 Firmware Search vendor "Ge" for product "Multilin B30 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin B30 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin B30 Search vendor "Ge" for product "Multilin B30"	-	-	Safe
Ge Search vendor "Ge"	Multilin B90 Firmware Search vendor "Ge" for product "Multilin B90 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin B90 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin B90 Search vendor "Ge" for product "Multilin B90"	-	-	Safe
Ge Search vendor "Ge"	Multilin C60 Firmware Search vendor "Ge" for product "Multilin C60 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin C60 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin C60 Search vendor "Ge" for product "Multilin C60"	-	-	Safe
Ge Search vendor "Ge"	Multilin C70 Firmware Search vendor "Ge" for product "Multilin C70 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin C70 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin C70 Search vendor "Ge" for product "Multilin C70"	-	-	Safe
Ge Search vendor "Ge"	Multilin C95 Firmware Search vendor "Ge" for product "Multilin C95 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin C95 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin C95 Search vendor "Ge" for product "Multilin C95"	-	-	Safe
Ge Search vendor "Ge"	Multilin D30 Firmware Search vendor "Ge" for product "Multilin D30 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin D30 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin D30 Search vendor "Ge" for product "Multilin D30"	-	-	Safe
Ge Search vendor "Ge"	Multilin D60 Firmware Search vendor "Ge" for product "Multilin D60 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin D60 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin D60 Search vendor "Ge" for product "Multilin D60"	-	-	Safe
Ge Search vendor "Ge"	Multilin F35 Firmware Search vendor "Ge" for product "Multilin F35 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin F35 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin F35 Search vendor "Ge" for product "Multilin F35"	-	-	Safe
Ge Search vendor "Ge"	Multilin F60 Firmware Search vendor "Ge" for product "Multilin F60 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin F60 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin F60 Search vendor "Ge" for product "Multilin F60"	-	-	Safe
Ge Search vendor "Ge"	Multilin G30 Firmware Search vendor "Ge" for product "Multilin G30 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin G30 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin G30 Search vendor "Ge" for product "Multilin G30"	-	-	Safe
Ge Search vendor "Ge"	Multilin G60 Firmware Search vendor "Ge" for product "Multilin G60 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin G60 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin G60 Search vendor "Ge" for product "Multilin G60"	-	-	Safe
Ge Search vendor "Ge"	Multilin L30 Firmware Search vendor "Ge" for product "Multilin L30 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin L30 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin L30 Search vendor "Ge" for product "Multilin L30"	-	-	Safe
Ge Search vendor "Ge"	Multilin L60 Firmware Search vendor "Ge" for product "Multilin L60 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin L60 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin L60 Search vendor "Ge" for product "Multilin L60"	-	-	Safe
Ge Search vendor "Ge"	Multilin L90 Firmware Search vendor "Ge" for product "Multilin L90 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin L90 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin L90 Search vendor "Ge" for product "Multilin L90"	-	-	Safe
Ge Search vendor "Ge"	Multilin M60 Firmware Search vendor "Ge" for product "Multilin M60 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin M60 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin M60 Search vendor "Ge" for product "Multilin M60"	-	-	Safe
Ge Search vendor "Ge"	Multilin N60 Firmware Search vendor "Ge" for product "Multilin N60 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin N60 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin N60 Search vendor "Ge" for product "Multilin N60"	-	-	Safe
Ge Search vendor "Ge"	Multilin T35 Firmware Search vendor "Ge" for product "Multilin T35 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin T35 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin T35 Search vendor "Ge" for product "Multilin T35"	-	-	Safe
Ge Search vendor "Ge"	Multilin T60 Firmware Search vendor "Ge" for product "Multilin T60 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin T60 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin T60 Search vendor "Ge" for product "Multilin T60"	-	-	Safe
Ge Search vendor "Ge"	Multilin C30 Firmware Search vendor "Ge" for product "Multilin C30 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin C30 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin C30 Search vendor "Ge" for product "Multilin C30"	-	-	Safe