Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for smartics by smartics

    CVE-2022-2140 (GCVE-0-2022-2140)

    Vulnerability from nvd – Published: 2022-06-27 16:14 – Updated: 2025-04-16 17:51
    VLAI
    Title
    Elcomplus SmartICS Cross-site Scripting
    Summary
    Elcomplus SmartICS v2.3.4.0 does not neutralize user-controllable input, which allows an authenticated user to inject arbitrary code into specific parameters.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting
    Assigner
    References
    Impacted products
    Vendor Product Version
    Elcomplus SmartICS Affected: v2.3.4.0
    Create a notification for this product.
    Credits
    Michael Heinzl reported these vulnerabilities to CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:24:44.252Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-05"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-2140",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T17:28:23.195962Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T17:51:46.939Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SmartICS",
              "vendor": "Elcomplus",
              "versions": [
                {
                  "status": "affected",
                  "version": "v2.3.4.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Michael Heinzl reported these vulnerabilities to CISA."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Elcomplus SmartICS v2.3.4.0 does not neutralize user-controllable input, which allows an authenticated user to inject arbitrary code into specific parameters."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Cross-site Scripting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-27T16:14:48.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-05"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Elcomplus has released Version 2.4 to address these vulnerabilities and recommends users update to the newest version. Users can obtain the new version on request on the official SmartICS website https://smartics.io/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Elcomplus SmartICS Cross-site Scripting",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2022-2140",
              "STATE": "PUBLIC",
              "TITLE": "Elcomplus SmartICS Cross-site Scripting"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SmartICS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "v2.3.4.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Elcomplus"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Michael Heinzl reported these vulnerabilities to CISA."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Elcomplus SmartICS v2.3.4.0 does not neutralize user-controllable input, which allows an authenticated user to inject arbitrary code into specific parameters."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79: Cross-site Scripting"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-05",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-05"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Elcomplus has released Version 2.4 to address these vulnerabilities and recommends users update to the newest version. Users can obtain the new version on request on the official SmartICS website https://smartics.io/"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2022-2140",
        "datePublished": "2022-06-27T16:14:48.000Z",
        "dateReserved": "2022-06-20T00:00:00.000Z",
        "dateUpdated": "2025-04-16T17:51:46.939Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-2106 (GCVE-0-2022-2106)

    Vulnerability from nvd – Published: 2022-06-27 16:15 – Updated: 2025-04-16 16:15
    VLAI
    Title
    Elcomplus SmartICS Path Traversal
    Summary
    Elcomplus SmartICS v2.3.4.0 does not validate the filenames sufficiently, which enables authenticated administrator-level users to perform path traversal attacks and specify arbitrary files.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-23 - Relative Path Traversal
    Assigner
    References
    Impacted products
    Vendor Product Version
    Elcomplus SmartICS Affected: v2.3.4.0
    Create a notification for this product.
    Credits
    Michael Heinzl reported these vulnerabilities to CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:24:44.184Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-05"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-2106",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:51:19.632959Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:15:46.034Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SmartICS",
              "vendor": "Elcomplus",
              "versions": [
                {
                  "status": "affected",
                  "version": "v2.3.4.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Michael Heinzl reported these vulnerabilities to CISA."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Elcomplus SmartICS v2.3.4.0 does not validate the filenames sufficiently, which enables authenticated administrator-level users to perform path traversal attacks and specify arbitrary files."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.8,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-23",
                  "description": "CWE-23 Relative Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-27T16:15:32.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-05"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Elcomplus has released Version 2.4 to address these vulnerabilities and recommends users update to the newest version. Users can obtain the new version on request on the official SmartICS website https://smartics.io/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Elcomplus SmartICS Path Traversal",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2022-2106",
              "STATE": "PUBLIC",
              "TITLE": "Elcomplus SmartICS Path Traversal"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SmartICS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "v2.3.4.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Elcomplus"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Michael Heinzl reported these vulnerabilities to CISA."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Elcomplus SmartICS v2.3.4.0 does not validate the filenames sufficiently, which enables authenticated administrator-level users to perform path traversal attacks and specify arbitrary files."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.8,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-23 Relative Path Traversal"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-05",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-05"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Elcomplus has released Version 2.4 to address these vulnerabilities and recommends users update to the newest version. Users can obtain the new version on request on the official SmartICS website https://smartics.io/"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2022-2106",
        "datePublished": "2022-06-27T16:15:32.000Z",
        "dateReserved": "2022-06-16T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:15:46.034Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-2088 (GCVE-0-2022-2088)

    Vulnerability from nvd – Published: 2022-06-27 16:14 – Updated: 2025-04-16 16:15
    VLAI
    Title
    Elcomplus SmartICS Access Control
    Summary
    An authenticated user with admin privileges may be able to terminate any process on the system running Elcomplus SmartICS v2.3.4.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    Elcomplus SmartICS Affected: v2.3.4.0
    Create a notification for this product.
    Credits
    Michael Heinzl reported these vulnerabilities to CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:24:44.271Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-05"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-2088",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:51:23.100138Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:15:53.017Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SmartICS",
              "vendor": "Elcomplus",
              "versions": [
                {
                  "status": "affected",
                  "version": "v2.3.4.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Michael Heinzl reported these vulnerabilities to CISA."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An authenticated user with admin privileges may be able to terminate any process on the system running Elcomplus SmartICS v2.3.4.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-27T16:14:07.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-05"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Elcomplus has released Version 2.4 to address these vulnerabilities and recommends users update to the newest version. Users can obtain the new version on request on the official SmartICS website https://smartics.io/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Elcomplus SmartICS Access Control",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2022-2088",
              "STATE": "PUBLIC",
              "TITLE": "Elcomplus SmartICS Access Control"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SmartICS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "v2.3.4.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Elcomplus"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Michael Heinzl reported these vulnerabilities to CISA."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An authenticated user with admin privileges may be able to terminate any process on the system running Elcomplus SmartICS v2.3.4.0."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-284: Improper Access Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-05",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-05"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Elcomplus has released Version 2.4 to address these vulnerabilities and recommends users update to the newest version. Users can obtain the new version on request on the official SmartICS website https://smartics.io/"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2022-2088",
        "datePublished": "2022-06-27T16:14:07.000Z",
        "dateReserved": "2022-06-15T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:15:53.017Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-2106 (GCVE-0-2022-2106)

    Vulnerability from cvelistv5 – Published: 2022-06-27 16:15 – Updated: 2025-04-16 16:15
    VLAI
    Title
    Elcomplus SmartICS Path Traversal
    Summary
    Elcomplus SmartICS v2.3.4.0 does not validate the filenames sufficiently, which enables authenticated administrator-level users to perform path traversal attacks and specify arbitrary files.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-23 - Relative Path Traversal
    Assigner
    References
    Impacted products
    Vendor Product Version
    Elcomplus SmartICS Affected: v2.3.4.0
    Create a notification for this product.
    Credits
    Michael Heinzl reported these vulnerabilities to CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:24:44.184Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-05"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-2106",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:51:19.632959Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:15:46.034Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SmartICS",
              "vendor": "Elcomplus",
              "versions": [
                {
                  "status": "affected",
                  "version": "v2.3.4.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Michael Heinzl reported these vulnerabilities to CISA."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Elcomplus SmartICS v2.3.4.0 does not validate the filenames sufficiently, which enables authenticated administrator-level users to perform path traversal attacks and specify arbitrary files."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.8,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-23",
                  "description": "CWE-23 Relative Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-27T16:15:32.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-05"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Elcomplus has released Version 2.4 to address these vulnerabilities and recommends users update to the newest version. Users can obtain the new version on request on the official SmartICS website https://smartics.io/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Elcomplus SmartICS Path Traversal",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2022-2106",
              "STATE": "PUBLIC",
              "TITLE": "Elcomplus SmartICS Path Traversal"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SmartICS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "v2.3.4.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Elcomplus"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Michael Heinzl reported these vulnerabilities to CISA."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Elcomplus SmartICS v2.3.4.0 does not validate the filenames sufficiently, which enables authenticated administrator-level users to perform path traversal attacks and specify arbitrary files."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.8,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-23 Relative Path Traversal"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-05",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-05"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Elcomplus has released Version 2.4 to address these vulnerabilities and recommends users update to the newest version. Users can obtain the new version on request on the official SmartICS website https://smartics.io/"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2022-2106",
        "datePublished": "2022-06-27T16:15:32.000Z",
        "dateReserved": "2022-06-16T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:15:46.034Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-2140 (GCVE-0-2022-2140)

    Vulnerability from cvelistv5 – Published: 2022-06-27 16:14 – Updated: 2025-04-16 17:51
    VLAI
    Title
    Elcomplus SmartICS Cross-site Scripting
    Summary
    Elcomplus SmartICS v2.3.4.0 does not neutralize user-controllable input, which allows an authenticated user to inject arbitrary code into specific parameters.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Cross-site Scripting
    Assigner
    References
    Impacted products
    Vendor Product Version
    Elcomplus SmartICS Affected: v2.3.4.0
    Create a notification for this product.
    Credits
    Michael Heinzl reported these vulnerabilities to CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:24:44.252Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-05"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-2140",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T17:28:23.195962Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T17:51:46.939Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SmartICS",
              "vendor": "Elcomplus",
              "versions": [
                {
                  "status": "affected",
                  "version": "v2.3.4.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Michael Heinzl reported these vulnerabilities to CISA."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Elcomplus SmartICS v2.3.4.0 does not neutralize user-controllable input, which allows an authenticated user to inject arbitrary code into specific parameters."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Cross-site Scripting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-27T16:14:48.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-05"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Elcomplus has released Version 2.4 to address these vulnerabilities and recommends users update to the newest version. Users can obtain the new version on request on the official SmartICS website https://smartics.io/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Elcomplus SmartICS Cross-site Scripting",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2022-2140",
              "STATE": "PUBLIC",
              "TITLE": "Elcomplus SmartICS Cross-site Scripting"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SmartICS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "v2.3.4.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Elcomplus"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Michael Heinzl reported these vulnerabilities to CISA."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Elcomplus SmartICS v2.3.4.0 does not neutralize user-controllable input, which allows an authenticated user to inject arbitrary code into specific parameters."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79: Cross-site Scripting"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-05",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-05"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Elcomplus has released Version 2.4 to address these vulnerabilities and recommends users update to the newest version. Users can obtain the new version on request on the official SmartICS website https://smartics.io/"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2022-2140",
        "datePublished": "2022-06-27T16:14:48.000Z",
        "dateReserved": "2022-06-20T00:00:00.000Z",
        "dateUpdated": "2025-04-16T17:51:46.939Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-2088 (GCVE-0-2022-2088)

    Vulnerability from cvelistv5 – Published: 2022-06-27 16:14 – Updated: 2025-04-16 16:15
    VLAI
    Title
    Elcomplus SmartICS Access Control
    Summary
    An authenticated user with admin privileges may be able to terminate any process on the system running Elcomplus SmartICS v2.3.4.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    Elcomplus SmartICS Affected: v2.3.4.0
    Create a notification for this product.
    Credits
    Michael Heinzl reported these vulnerabilities to CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:24:44.271Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-05"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-2088",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T15:51:23.100138Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T16:15:53.017Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SmartICS",
              "vendor": "Elcomplus",
              "versions": [
                {
                  "status": "affected",
                  "version": "v2.3.4.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Michael Heinzl reported these vulnerabilities to CISA."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An authenticated user with admin privileges may be able to terminate any process on the system running Elcomplus SmartICS v2.3.4.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-27T16:14:07.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-05"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Elcomplus has released Version 2.4 to address these vulnerabilities and recommends users update to the newest version. Users can obtain the new version on request on the official SmartICS website https://smartics.io/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Elcomplus SmartICS Access Control",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "ID": "CVE-2022-2088",
              "STATE": "PUBLIC",
              "TITLE": "Elcomplus SmartICS Access Control"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SmartICS",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "v2.3.4.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Elcomplus"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Michael Heinzl reported these vulnerabilities to CISA."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An authenticated user with admin privileges may be able to terminate any process on the system running Elcomplus SmartICS v2.3.4.0."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-284: Improper Access Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-05",
                  "refsource": "CONFIRM",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-05"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Elcomplus has released Version 2.4 to address these vulnerabilities and recommends users update to the newest version. Users can obtain the new version on request on the official SmartICS website https://smartics.io/"
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2022-2088",
        "datePublished": "2022-06-27T16:14:07.000Z",
        "dateReserved": "2022-06-15T00:00:00.000Z",
        "dateUpdated": "2025-04-16T16:15:53.017Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }