CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39871
https://notcve.org/view.php?id=CVE-2024-39871
09 Jul 2024 — A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). Affected applications do not properly separate the rights to edit device settings and to edit settings for communication relations. This could allow an authenticated attacker with the permission to manage devices to gain access to participant groups that the attacked does not belong to. • https://cert-portal.siemens.com/productcert/html/ssa-381581.html • CWE-863: Incorrect Authorization •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39870
https://notcve.org/view.php?id=CVE-2024-39870
09 Jul 2024 — A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected applications can be configured to allow users to manage own users. A local authenticated user with this privilege could use this modify users outside of their own scope as well as to escalate privileges. • https://cert-portal.siemens.com/productcert/html/ssa-381581.html • CWE-602: Client-Side Enforcement of Server-Side Security •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39869
https://notcve.org/view.php?id=CVE-2024-39869
09 Jul 2024 — A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). Affected products allow to upload certificates. An authenticated attacker could upload a crafted certificates leading to a permanent denial-of-service situation. In order to recover from such an attack, the offending certificate needs to be removed manually. • https://cert-portal.siemens.com/productcert/html/ssa-381581.html • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39868
https://notcve.org/view.php?id=CVE-2024-39868
09 Jul 2024 — A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). Affected devices do not properly validate the authentication when performing certain actions in the web interface allowing an unauthenticated attacker to access and edit VxLAN configuration information of networks for which they have no privileges. • https://cert-portal.siemens.com/productcert/html/ssa-381581.html • CWE-425: Direct Request ('Forced Browsing') •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39867
https://notcve.org/view.php?id=CVE-2024-39867
09 Jul 2024 — A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). Affected devices do not properly validate the authentication when performing certain actions in the web interface allowing an unauthenticated attacker to access and edit device configuration information of devices for which they have no privileges. • https://cert-portal.siemens.com/productcert/html/ssa-381581.html • CWE-425: Direct Request ('Forced Browsing') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39866
https://notcve.org/view.php?id=CVE-2024-39866
09 Jul 2024 — A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application allows users to upload encrypted backup files. This could allow an attacker with access to the backup encryption key and with the right to upload backup files to create a user with administrative privileges. • https://cert-portal.siemens.com/productcert/html/ssa-381581.html • CWE-267: Privilege Defined With Unsafe Actions •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39865
https://notcve.org/view.php?id=CVE-2024-39865
09 Jul 2024 — A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application allows users to upload encrypted backup files. As part of this backup, files can be restored without correctly checking the path of the restored file. This could allow an attacker with access to the backup encryption key to upload malicious files, that could potentially lead to remote code execution. • https://cert-portal.siemens.com/productcert/html/ssa-381581.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 0CVE-2024-39571
https://notcve.org/view.php?id=CVE-2024-39571
09 Jul 2024 — A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 HF1). Affected applications are vulnerable to command injection due to missing server side input sanitation when loading SNMP configurations. This could allow an attacker with the right to modify the SNMP configuration to execute arbitrary code with root privileges. • https://cert-portal.siemens.com/productcert/html/ssa-928781.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.0EPSS: 2%CPEs: 1EXPL: 0CVE-2024-39570
https://notcve.org/view.php?id=CVE-2024-39570
09 Jul 2024 — A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 HF1). Affected applications are vulnerable to command injection due to missing server side input sanitation when loading VxLAN configurations. This could allow an authenticated attacker to execute arbitrary code with root privileges. • https://cert-portal.siemens.com/productcert/html/ssa-928781.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39569
https://notcve.org/view.php?id=CVE-2024-39569
09 Jul 2024 — A vulnerability has been identified in SINEMA Remote Connect Client (All versions < V3.2 HF1). The system service of affected applications is vulnerable to command injection due to missing server side input sanitation when loading VPN configurations. This could allow an administrative remote attacker running a corresponding SINEMA Remote Connect Server to execute arbitrary code with system privileges on the client system. • https://cert-portal.siemens.com/productcert/html/ssa-868282.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •