Invalid Input Validation in SINEC INS Leads to Arbitrary Code Execution

CVE-2024-46890

9.1CRITICAL

Key Information

Vendor: Siemens
Status: Sinec Ins
Vendor: CVE Published:; 12 November 2024

Summary

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). The affected application does not properly validate input sent to specific endpoints of its web API. This could allow an authenticated remote attacker with high privileges on the application to execute arbitrary code on the underlying OS.

Affected Version(s)

SINEC INS < 0

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published.
Nov 12, 2024
Vulnerability Reserved.
Sep 12, 2024

Collectors

NVD DatabaseMitre Database