Arbitrary File Manipulation and Code Execution Vulnerability

CVE-2024-46888

9.9CRITICAL

Key Information

Vendor
Siemens
Status
Sinec Ins
Vendor
CVE Published:
12 November 2024

Summary

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). The affected application does not properly sanitize user provided paths for SFTP-based file up- and downloads. This could allow an authenticated remote attacker to manipulate arbitrary files on the filesystem and achieve arbitrary code execution on the device.

Affected Version(s)

SINEC INS < 0

Refferences

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.