Invalid Input Validation in SINEC INS Leads to Arbitrary Code Execution

CVE-2024-46890

9.1CRITICAL

Key Information

Vendor
Siemens
Status
Sinec Ins
Vendor
CVE Published:
12 November 2024

Summary

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). The affected application does not properly validate input sent to specific endpoints of its web API. This could allow an authenticated remote attacker with high privileges on the application to execute arbitrary code on the underlying OS.

Affected Version(s)

SINEC INS < 0

Refferences

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.