CVE-2021-26828

CVSS v3.1

8.8

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions OpenPLC ScadaBR versions through 0.9.1 on Linux OpenPLC ScadaBR versions through 1.12.4 on Windows

Description The ScadaBR system, designed for data collection and process automation control, is affected by multiple issues. One issue involves insufficient protection of the

agentpushPreset

structure within the administrative interface page

system settings.shtm

, potentially allowing for cross-site scripting (XSS) attacks. Another issue allows remote authenticated users to upload and execute arbitrary JSP files through the

view edit.shtm

file. This is due to unrestricted file upload of dangerous file types. The

view edit.shtm

file is used as the entry point for exploitation.

Recommendations OpenPLC ScadaBR versions through 0.9.1 on Linux: At the moment, there is no information about a newer version that contains a fix for this vulnerability. OpenPLC ScadaBR versions through 1.12.4 on Windows: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Unrestricted File Upload

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434CWE-79

Related Identifiers

BDU:2021-03553

BDU:2025-14902

CVE-2021-26828

Affected Products

Openplc Scadabr

CVE-2021-26828

Weakness Enumeration

Related Identifiers

Affected Products

References · 28