Vulnerability in SINEC INS Could Allow Continued Malicious Actions After User Disabling
CVE-2024-46892

8.1HIGH

Key Information:

Vendor: Siemens
Status: Sinec Ins
Vendor: CVE Published:; 12 November 2024

Summary

A session management flaw has been identified in SINEC INS, where the application fails to properly invalidate user sessions when an associated user account is deleted, disabled, or when their permissions are modified. This vulnerability poses a risk as it enables an authenticated attacker to perform malicious activities even after their account has been rendered inactive. Effective remediation is critical to mitigate potential security breaches that could result from this oversight.

Affected Version(s)

SINEC INS 0

References

https://cert-portal.siemens.com/productcert/html/ssa-9152...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 12, 2024
Vulnerability Reserved
Sep 12, 2024