CVE-2021-26828

Name of the Vulnerable Software and Affected Versions OpenPLC ScadaBR versions 0.9.1 and earlier on Linux OpenPLC ScadaBR versions 1.12.4 and earlier on Windows

Description The issue allows remote authenticated users to upload and execute arbitrary JSP files via the

view edit.shtm

endpoint. This is related to an unlimited file upload vulnerability of dangerous file types. Exploitation of this issue may allow a remote attacker to execute arbitrary code using a specially crafted file.

Recommendations For OpenPLC ScadaBR versions 0.9.1 and earlier on Linux, consider disabling the

view edit.shtm

endpoint until a patch is available. For OpenPLC ScadaBR versions 1.12.4 and earlier on Windows, restrict access to the

view edit.shtm

endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.