CVE-2024-46892

Published: Nov 12, 2024Modified: Nov 13, 2024

6.9

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: productcert@siemens.com (Secondary)

Description

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). The affected application does not properly invalidate sessions when the associated user is deleted or disabled or their permissions are modified. This could allow an authenticated attacker to continue performing malicious actions even after their user account has been disabled.

Affected (6)

Products: Siemens: Sinec Ins

Siemens

1 product

Sinec Ins

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Siemens Sinec Ins	Before 1.0
Siemens Sinec Ins	Version 1.0
Siemens Sinec Ins	Version 1.0 sp1
Siemens Sinec Ins	Version 1.0 sp2
Siemens Sinec Ins	Version 1.0 sp2_update_1
Siemens Sinec Ins	Version 1.0 sp2_update_2

Related CWEs

CWE-613

Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References (1)

https://cert-portal.siemens.com/productcert/html/ssa-915275.html

Source: productcert@siemens.com

Vendor Advisory

Timeline

No history available yet.