CVE-2021-40366

Published: Nov 9, 2021Modified: Nov 21, 2024

7.4

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitability: 2.2 / Impact: 5.2

Source: NVD

Description

A vulnerability has been identified in Climatix POL909 (AWB module) (All versions < V11.42), Climatix POL909 (AWM module) (All versions < V11.34). The web server of affected devices transmits data without TLS encryption. This could allow an unauthenticated remote attacker in a man-in-the-middle position to read sensitive data, such as administrator credentials, or modify data in transit.

Affected (2)

Products: Siemens: Climatix Pol909 Firmware

1 product

Climatix Pol909 Firmware

Configuration A

2 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Siemens Climatix Pol909 Firmware	Before 11.42
Siemens Climatix Pol909 Firmware	Before 11.34

Running on/with	Platform Versions
Siemens Climatix Pol909	All versions

Related CWEs

Missing Encryption of Sensitive Data

The product does not encrypt sensitive or critical information before storage or transmission.

Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

References (2)

https://cert-portal.siemens.com/productcert/pdf/ssa-703715.pdf

Source: productcert@siemens.com

Vendor Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-703715.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.