CVE-2021-33021: 
xArrow vulnerability analysis and mitigation

xArrow SCADA versions 7.2 and prior is affected by a cross-site scripting vulnerability (CVE-2021-33021) discovered in 2021. The vulnerability exists in the parameter 'edate' of the resource xhisalarm.htm, which may allow an unauthorized attacker to execute arbitrary code. The vulnerability has been assigned a CVSS v3 base score of 6.1, indicating moderate severity (CISA Advisory).

The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). The CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N), indicating that the vulnerability is network accessible, requires low attack complexity, needs no privileges, but requires user interaction. The vulnerability affects the SCADA/HMI system's web interface (CISA Advisory).

Successful exploitation of this vulnerability could allow an unauthorized attacker to execute arbitrary code through cross-site scripting attacks. This could potentially lead to unauthorized access and manipulation of the SCADA system (CISA Advisory).

CISA recommends several mitigation measures including: disabling web server implementation (which is disabled by default), minimizing network exposure for all control system devices, ensuring systems are not accessible from the Internet, locating control system networks behind firewalls, and isolating them from the business network. When remote access is required, secure methods such as VPNs should be used (CISA Advisory).

xArrow has not responded to requests to work with CISA to mitigate these vulnerabilities. The vulnerability was reported to CISA by security researchers Sharon Brizinov from Claroty and Michael Heinzl (CISA Advisory).