Vulnerability in SINEC INS Could Allow Continued Malicious Actions After User Disabling

CVE-2024-46892

8.1HIGH

Key Information

Vendor
Siemens
Status
Sinec Ins
Vendor
CVE Published:
12 November 2024

Summary

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). The affected application does not properly invalidate sessions when the associated user is deleted or disabled or their permissions are modified. This could allow an authenticated attacker to continue performing malicious actions even after their user account has been disabled.

Affected Version(s)

SINEC INS < 0

Refferences

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.