← Back

CVE-2011-4508

nvd nist
Published: Feb 3, 2012Modified: Apr 29, 2026

JSON object

Loading...
9.3
Vector
AV:N/AC:M/Au:N/C:C/I:C/A:C
Exploitability: 8.6 / Impact: 10.0
Source: NVD

Description

The HMI web server in Siemens WinCC flexible 2004, 2005, 2007, and 2008 before SP3; WinCC V11 (aka TIA portal) before SP2 Update 1; the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime generates predictable authentication tokens for cookies, which makes it easier for remote attackers to bypass authentication via a crafted cookie.

Affected (16)

Siemens
5 products
Wincc Flexible
Wincc
Simatic Hmi Panels
Wincc Runtime Advanced
Wincc Flexible Runtime
Configuration A
6 vulnerable
Vulnerable SoftwareAffected Versions
Siemens
Wincc Flexible
Version 2004
Wincc Flexible
Version 2005
Wincc Flexible
Version 2007
Wincc Flexible
Version 2008
Wincc Flexible
Version 2008 sp1
Wincc Flexible
Version 2008 sp2
Configuration B
3 vulnerable
Vulnerable SoftwareAffected Versions
Siemens
Wincc
Up to v11
Wincc
Version v11
Wincc
Version v11 sp1
Configuration C
5 vulnerable
Vulnerable SoftwareAffected Versions
Siemens
Simatic Hmi Panels
Version comfort_panels
Simatic Hmi Panels
Version mobile_panels
Simatic Hmi Panels
Version mp
Simatic Hmi Panels
Version op
Simatic Hmi Panels
Version tp
Configuration D
1 vulnerable
Vulnerable SoftwareAffected Versions
Wincc Runtime Advanced
Version v11
Configuration E
1 vulnerable
Vulnerable SoftwareAffected Versions
Wincc Flexible Runtime
All versions

Related CWEs

CWE-287
Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (4)

Source: cret@cert.org
Vendor Advisory
Source: cret@cert.org
US Government Resource
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
US Government Resource

Timeline

No history available yet.