Arbitrary File Manipulation and Code Execution Vulnerability
CVE-2024-46888

9.9CRITICAL

Key Information:

Vendor: Siemens
Status: Sinec Ins
Vendor: CVE Published:; 12 November 2024

Summary

A vulnerability exists in the SINEC INS application that affects versions prior to V1.0 SP2 Update 3, which fails to properly sanitize user-provided path inputs during SFTP file uploads and downloads. This flaw enables authenticated remote attackers to manipulate arbitrary files on the system, potentially leading to unauthorized code execution. Organizations utilizing SINEC INS should evaluate their current version and apply necessary security updates to mitigate this significant risk.

Affected Version(s)

SINEC INS 0

References

https://cert-portal.siemens.com/productcert/html/ssa-9152...

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Nov 12, 2024
Vulnerability Reserved
Sep 12, 2024