This morning the DHS ICS-CERT published an advisory for an escalation of privilege vulnerability in the Siemens COMOS database application. The vulnerability was self-reported last week by Siemens and an update has been made available for the latest versions of the product.
ICS-CERT reports that a relatively low skilled attacker with authenticated local access to the database could exploit this vulnerability to compromise of the confidentiality, integrity, and availability of the database.
Siemens has revised their advisory that I mentioned last week with additional contact information. I notice that this is the second privilege escalation vulnerability that Siemens has reported in their COMOS product; the earlier advisory was published in August (ICS-CERT Advisory - ICSA-12-227-01; that was also late reported by ICS-CERT).