CVE-2021-40335

Cross Site Request Forgery (CSRF) in Hitachi Energy’s MSM Product

Description

A vulnerability exists in the HTTP web interface where the web interface does not sufficiently verify if a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. This cause a Cross Site Request Forgery (CSRF), which if exploited could lead an attacker to gain unauthorized access to the web application and perform an unwanted operation on it without the knowledge of the legitimate user. An attacker, who successfully makes an MSM user who has already established a session to MSM web interface clicks a forged link to the MSM web interface, e.g., link is sent per E-Mail, could perform harmful command on MSM through its web server interface. This issue affects: Hitachi Energy MSM V2.2 and prior versions.

Remediation

Workaround:

  • Apply mitigation strategy as described in Mitigation Factors Section in the advisory.

Category

5.0
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.14%
Vendor Advisory abb.com
Affected: Hitachi Energy MSM
Published at:
Updated at:

References

Link Tags
https://search.abb.com/library/Download.aspx?DocumentID=8DBD000085&LanguageCode=en&DocumentPartId=&Action=Launch mitigation vendor advisory

Frequently Asked Questions

What is the severity of CVE-2021-40335?
CVE-2021-40335 has been scored as a medium severity vulnerability.
How to fix CVE-2021-40335?
As a workaround for remediating CVE-2021-40335: Apply mitigation strategy as described in Mitigation Factors Section in the advisory.
Is CVE-2021-40335 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-40335 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-40335?
CVE-2021-40335 affects Hitachi Energy MSM.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.