CVE-2021-21004 : In Phoenix Contact FL SWITCH SMCS series products in multiple versions an attack

In Phoenix Contact FL SWITCH SMCS series products in multiple versions an attacker may insert malicious code via LLDP frames into the web-based management which could then be executed by the client.

Published 2021-06-25 19:15:09

Updated 2021-07-02 00:00:43

Source CERT VDE

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2021-21004

Phoenixcontact » Fl Nat Smn 8tx-m Firmware
Versions up to, including, (<=) 4.63
cpe:2.3:o:phoenixcontact:fl_nat_smn_8tx-m_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Phoenixcontact » Fl Nat Smn 8tx-m » Version: N/A
Phoenixcontact » Fl Nat Smn 8tx Firmware
Versions up to, including, (<=) 4.63
cpe:2.3:o:phoenixcontact:fl_nat_smn_8tx_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Phoenixcontact » Fl Nat Smn 8tx » Version: N/A
Phoenixcontact » Fl Switch Smcs 16tx Firmware
Versions up to, including, (<=) 4.70
cpe:2.3:o:phoenixcontact:fl_switch_smcs_16tx_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Phoenixcontact » Fl Switch Smcs 16tx » Version: N/A
Phoenixcontact » Fl Switch Smcs 14tx/2fx Firmware
Versions up to, including, (<=) 4.70
cpe:2.3:o:phoenixcontact:fl_switch_smcs_14tx\/2fx_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Phoenixcontact » Fl Switch Smcs 14tx/2fx » Version: N/A
Phoenixcontact » Fl Switch Smcs 14tx/2fx-sm Firmware
Versions up to, including, (<=) 4.70
cpe:2.3:o:phoenixcontact:fl_switch_smcs_14tx\/2fx-sm_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Phoenixcontact » Fl Switch Smcs 14tx/2fx-sm » Version: N/A
Phoenixcontact » Fl Switch Smcs 8gt Firmware
Versions up to, including, (<=) 4.70
cpe:2.3:o:phoenixcontact:fl_switch_smcs_8gt_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Phoenixcontact » Fl Switch Smcs 8gt » Version: N/A
Phoenixcontact » Fl Switch Smcs 6gt/2sfp Firmware
Versions up to, including, (<=) 4.70
cpe:2.3:o:phoenixcontact:fl_switch_smcs_6gt\/2sfp_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Phoenixcontact » Fl Switch Smcs 6gt/2sfp » Version: N/A
Phoenixcontact » Fl Switch Smcs 8tx-pn Firmware
Versions up to, including, (<=) 4.70
cpe:2.3:o:phoenixcontact:fl_switch_smcs_8tx-pn_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Phoenixcontact » Fl Switch Smcs 8tx-pn » Version: N/A
Phoenixcontact » Fl Switch Smcs 4tx-pn Firmware
Versions up to, including, (<=) 4.70
cpe:2.3:o:phoenixcontact:fl_switch_smcs_4tx-pn_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Phoenixcontact » Fl Switch Smcs 4tx-pn » Version: N/A
Phoenixcontact » Fl Switch Smcs 8tx Firmware
Versions up to, including, (<=) 4.70
cpe:2.3:o:phoenixcontact:fl_switch_smcs_8tx_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Phoenixcontact » Fl Switch Smcs 8tx » Version: N/A
Phoenixcontact » Fl Switch Smcs 6tx/2sfp Firmware
Versions up to, including, (<=) 4.70
cpe:2.3:o:phoenixcontact:fl_switch_smcs_6tx\/2sfp_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Phoenixcontact » Fl Switch Smcs 6tx/2sfp » Version: N/A
Phoenixcontact » Fl Switch Smn 6tx/2pof-pn Firmware
Versions up to, including, (<=) 4.70
cpe:2.3:o:phoenixcontact:fl_switch_smn_6tx\/2pof-pn_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Phoenixcontact » Fl Switch Smn 6tx/2pof-pn » Version: N/A
Phoenixcontact » Fl Switch Smn 8tx-pn Firmware
Versions up to, including, (<=) 4.70
cpe:2.3:o:phoenixcontact:fl_switch_smn_8tx-pn_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Phoenixcontact » Fl Switch Smn 8tx-pn » Version: N/A
Phoenixcontact » Fl Switch Smn 6tx/2fx Firmware
Versions up to, including, (<=) 4.70
cpe:2.3:o:phoenixcontact:fl_switch_smn_6tx\/2fx_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Phoenixcontact » Fl Switch Smn 6tx/2fx » Version: N/A
Phoenixcontact » Fl Switch Smn 6tx/2fx Sm Firmware
Versions up to, including, (<=) 4.70
cpe:2.3:o:phoenixcontact:fl_switch_smn_6tx\/2fx_sm_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Phoenixcontact » Fl Switch Smn 6tx/2fx Sm » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2021-21004

EPSS FAQ

0.24%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 44 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-21004

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
7.4	HIGH	CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N	2.1	4.7	CERT VDE
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: High Availability: None
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2021-21004

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Assigned by:
- info@cert.vde.com (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2021-21004

https://cert.vde.com/en-us/advisories/vde-2021-023

PHOENIX CONTACT : Security Advisory for FL SWITCH SMCS series — English (USA)
Not Applicable;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2021-21004

Products affected by CVE-2021-21004

Exploit prediction scoring system (EPSS) score for CVE-2021-21004

CVSS scores for CVE-2021-21004

CWE ids for CVE-2021-21004

References for CVE-2021-21004