SSA-212953: Multiple Vulnerabilities in COMOS Publication Date: 2025-12-09 Last Update: 2026-02-10 Current Version: V1.2 CVSS v3.1 Base Score: 10.0 CVSS v4.0 Base Score: 9.2 SUMMARY COMOS is affected by multiple vulnerabilities that could allow an attacker to execute arbitrary code or cause denial of service condition, data infiltration or perform access control violations. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available. KNOWN AFFECTED PRODUCTS Un-/Collapse All Affected Product and Versions Remediation COMOS V10.4 Show more details COMOS V10.4 All versions < V10.4.5 with COMOS Web affected by CVE-2024-47875 Update to V10.4.5 or later version https://support.sw.siemens.com/product/222981661/ COMOS V10.4 All versions < V10.4.5 affected by CVE-2025-2783 Update to V10.4.5 or later version https://support.sw.siemens.com/product/222981661/ COMOS V10.4.5 All versions < V10.4.5.0.2 affected by multiple CVEs CVE-2025-10148 CVE-2024-11053 Contact customer support to receive patch and update information COMOS V10.5 Show more details COMOS V10.5 All versions < V10.5.2 affected by CVE-2025-2783 Update to V10.5.2 or later version https://support.sw.siemens.com/product/222981661/ COMOS V10.5 All versions < V10.5.2 with COMOS Web affected by CVE-2024-47875 Update to V10.5.2 or later version https://support.sw.siemens.com/product/222981661/ COMOS V10.6 All versions affected by multiple CVEs CVE-2025-40800 CVE-2025-40801 CVE-2024-11053 CVE-2025-10148 Currently no fix is available MITIGATIONS Product-specific remediations or mitigations can be found in the section Known Affected Products . Please follow the General Security Recommendations . PRODUCT DESCRIPTION COMOS is a unified data platform for collaborative plant design, operation and management that supports collecting, processing, saving, and distributing of information throughout the entire plant lifecycle. VULNERABILITY DESCRIPTION Un-/Collapse All This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities. Vulnerability CVE-2024-11053 When asked to both use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password. CVSS v3.1 Base Score 3.7 CVSS v3.1 Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS v4.0 Base Score 6.3 CVSS v4.0 Vector CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CWE CWE-200: Exposure of Sensitive Information to an Unauthorized Actor Vulnerability CVE-2024-47875 DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3. CVSS v3.1 Base Score 10.0 CVSS v3.1 Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H CWE CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability CVE-2025-2783 Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to perform a sandbox escape via a malicious file. CVSS v3.1 Base Score 8.3 CVSS v3.1 Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS v4.0 Base Score 8.9 CVSS v4.0 Vector CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CWE CWE-20: Improper Input Validation Vulnerability CVE-2025-10148 curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy. CVSS v3.1 Base Score 5.3 CVSS v3.1 Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CWE CWE-340: Generation of Predictable Numbers or Identifiers Vulnerability CVE-2025-40800 The IAM client in affected products is missing server certificate validation while establishing TLS connections to the authorization server. This could allow an attacker to perform a man-in-the-middle attack. CVSS v3.1 Base Score 7.4 CVSS v3.1 Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS v4.0 Base Score 9.1 CVSS v4.0 Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CWE CWE-295: Improp