Omnivise T3000 Application Server Vulnerability Allow Arbitrary File Download
CVE-2024-38878

6.5MEDIUM

Key Information:

Vendor: Siemens
Status: Omnivise T3000 Application Server R9.2; Omnivise T3000 R8.2 Sp3; Omnivise T3000 R8.2 Sp4
Vendor: CVE Published:; 2 August 2024

Summary

A vulnerability has been identified in Omnivise T3000 Application Server R9.2 (All versions), Omnivise T3000 R8.2 SP3 (All versions), Omnivise T3000 R8.2 SP4 (All versions). Affected devices allow authenticated users to export diagnostics data. The corresponding API endpoint is susceptible to path traversal and could allow an authenticated attacker to download arbitrary files from the file system.

Affected Version(s)

Omnivise T3000 Application Server R9.2 0

Omnivise T3000 R8.2 SP3 0

Omnivise T3000 R8.2 SP4 0

References

https://cert-portal.siemens.com/productcert/html/ssa-8573...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 2, 2024