CVE-2021-42534 - OpenCVE

The affected product’s web application does not properly neutralize the input during webpage generation, which could allow an attacker to inject code in the input forms.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Trane	Tracer Sc Firmware Tracer Sc

Configuration 1 [-]

AND

cpe:2.3:o:trane:tracer_sc_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:trane:tracer_sc:-:*:*:*:*:*:*:*

References

Link	Resource
https://us-cert.cisa.gov/ics/advisories/icsa-21-292-02	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2021-10-19T00:00:00

Updated: 2021-10-25T14:01:11

Reserved: 2021-10-15T00:00:00

Link: CVE-2021-42534

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-10-22T14:15:08.690

Modified: 2021-10-27T16:07:15.853

Link: CVE-2021-42534

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "Tracer SC", "vendor": "Trane", "versions": [{"lessThanOrEqual": "3.8", "status": "affected", "version": "All", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Chizuru Toyama of TXOne IoT/ICS Security Research Labs of Trend Micro reported this vulnerability to CISA."}], "datePublic": "2021-10-19T00:00:00", "descriptions": [{"lang": "en", "value": "The affected product\u2019s web application does not properly neutralize the input during webpage generation, which could allow an attacker to inject code in the input forms."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-10-25T14:01:11", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-292-02"}], "solutions": [{"lang": "en", "value": "Trane has identified the following specific mitigations for the affected products:\n\nUsers upgrade Tracer SC controllers running firmware v3.8 and prior, to firmware v4.4 SP7 or higher. Users should contact a regional Trane office to install updated firmware or request additional information and reference Trane service database number HUB-207592.\nTracer SC is no longer actively developed, tested, or sold. Tracer SC will be considered end-of-life on December 31, 2022. Trane recommends users identify a migration plan to replace the Tracer SC controller with the Tracer SC+ controller, which can function as a drop-in replacement for Tracer SC, providing significant security upgrades."}], "source": {"advisory": "https://us-cert.cisa.gov/ics/advisories/icsa-21-292-02", "discovery": "UNKNOWN"}, "title": "Trane Building Automation Controllers Cross-site Scripting", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2021-10-19T15:34:00.000Z", "ID": "CVE-2021-42534", "STATE": "PUBLIC", "TITLE": "Trane Building Automation Controllers Cross-site Scripting"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Tracer SC", "version": {"version_data": [{"version_affected": "<=", "version_name": "All", "version_value": "3.8"}]}}]}, "vendor_name": "Trane"}]}}, "credit": [{"lang": "eng", "value": "Chizuru Toyama of TXOne IoT/ICS Security Research Labs of Trend Micro reported this vulnerability to CISA."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The affected product\u2019s web application does not properly neutralize the input during webpage generation, which could allow an attacker to inject code in the input forms."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-292-02", "refsource": "CONFIRM", "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-292-02"}]}, "solution": [{"lang": "en", "value": "Trane has identified the following specific mitigations for the affected products:\n\nUsers upgrade Tracer SC controllers running firmware v3.8 and prior, to firmware v4.4 SP7 or higher. Users should contact a regional Trane office to install updated firmware or request additional information and reference Trane service database number HUB-207592.\nTracer SC is no longer actively developed, tested, or sold. Tracer SC will be considered end-of-life on December 31, 2022. Trane recommends users identify a migration plan to replace the Tracer SC controller with the Tracer SC+ controller, which can function as a drop-in replacement for Tracer SC, providing significant security upgrades."}], "source": {"advisory": "https://us-cert.cisa.gov/ics/advisories/icsa-21-292-02", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2021-42534", "datePublished": "2021-10-19T00:00:00", "dateReserved": "2021-10-15T00:00:00", "dateUpdated": "2021-10-25T14:01:11", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:trane:tracer_sc_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "92C018AE-5629-441A-BF3A-7C3C865EE020", "versionEndIncluding": "3.8", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:trane:tracer_sc:-:*:*:*:*:*:*:*", "matchCriteriaId": "C0514AF8-5E91-4068-A507-575E71EFB16A", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The affected product\u2019s web application does not properly neutralize the input during webpage generation, which could allow an attacker to inject code in the input forms."}, {"lang": "es", "value": "La aplicaci\u00f3n web del producto afectado no neutraliza adecuadamente la entrada durante la generaci\u00f3n de la p\u00e1gina web, que podr\u00eda permitir a un atacante inyectar c\u00f3digo en los formularios de entrada"}], "id": "CVE-2021-42534", "lastModified": "2021-10-27T16:07:15.853", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2021-10-22T14:15:08.690", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-292-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}