CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39867
https://notcve.org/view.php?id=CVE-2024-39867
09 Jul 2024 — A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). Affected devices do not properly validate the authentication when performing certain actions in the web interface allowing an unauthenticated attacker to access and edit device configuration information of devices for which they have no privileges. • https://cert-portal.siemens.com/productcert/html/ssa-381581.html • CWE-425: Direct Request ('Forced Browsing') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39866
https://notcve.org/view.php?id=CVE-2024-39866
09 Jul 2024 — A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application allows users to upload encrypted backup files. This could allow an attacker with access to the backup encryption key and with the right to upload backup files to create a user with administrative privileges. • https://cert-portal.siemens.com/productcert/html/ssa-381581.html • CWE-267: Privilege Defined With Unsafe Actions •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 0CVE-2024-39865
https://notcve.org/view.php?id=CVE-2024-39865
09 Jul 2024 — A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application allows users to upload encrypted backup files. As part of this backup, files can be restored without correctly checking the path of the restored file. This could allow an attacker with access to the backup encryption key to upload malicious files, that could potentially lead to remote code execution. • https://cert-portal.siemens.com/productcert/html/ssa-381581.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 0CVE-2024-39571
https://notcve.org/view.php?id=CVE-2024-39571
09 Jul 2024 — A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 HF1). Affected applications are vulnerable to command injection due to missing server side input sanitation when loading SNMP configurations. This could allow an attacker with the right to modify the SNMP configuration to execute arbitrary code with root privileges. • https://cert-portal.siemens.com/productcert/html/ssa-928781.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 0CVE-2024-39570
https://notcve.org/view.php?id=CVE-2024-39570
09 Jul 2024 — A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 HF1). Affected applications are vulnerable to command injection due to missing server side input sanitation when loading VxLAN configurations. This could allow an authenticated attacker to execute arbitrary code with root privileges. • https://cert-portal.siemens.com/productcert/html/ssa-928781.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-32257
https://notcve.org/view.php?id=CVE-2022-32257
12 Mar 2024 — A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2). The affected application consists of a web service that lacks proper access control for some of the endpoints. This could lead to unauthorized access to resources and potentially lead to code execution. Se ha identificado una vulnerabilidad en SINEMA Remote Connect Server (todas las versiones < V3.2). La aplicación afectada consiste en un servicio web que carece de un control de acceso adecuado para algunos de los ... • https://cert-portal.siemens.com/productcert/html/ssa-576771.html • CWE-284: Improper Access Control •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35796 – Siemens SINEMA Server sysLocation Cross-Site Scripting Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-35796
10 Oct 2023 — A vulnerability has been identified in SINEMA Server V14 (All versions). The affected application improperly sanitizes certain SNMP configuration data retrieved from monitored devices. An attacker with access to a monitored device could perform a stored cross-site scripting (XSS) attack that may lead to arbitrary code execution with `SYSTEM` privileges on the application server. (ZDI-CAN-19823) Se ha identificado una vulnerabilidad en SINEMA Server V14 (todas las versiones). La aplicación afectada sanitiza ... • https://cert-portal.siemens.com/productcert/pdf/ssa-594373.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2022-32262
https://notcve.org/view.php?id=CVE-2022-32262
14 Jun 2022 — A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). The affected application contains a file upload server that is vulnerable to command injection. An attacker could use this to achieve arbitrary code execution. Se ha identificado una vulnerabilidad en SINEMA Remote Connect Server (Todas las versiones anteriores a V3.1). La aplicación afectada contiene un servidor de carga de archivos que es vulnerable a una inyección de comandos. • https://cert-portal.siemens.com/productcert/html/ssa-484086.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-32261
https://notcve.org/view.php?id=CVE-2022-32261
14 Jun 2022 — A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). The affected application contains a misconfiguration in the APT update. This could allow an attacker to add insecure packages to the application. Se ha identificado una vulnerabilidad en SINEMA Remote Connect Server (Todas las versiones anteriores a V3.1). La aplicación afectada contiene una configuración errónea en la actualización de APT. • https://cert-portal.siemens.com/productcert/html/ssa-484086.html • CWE-233: Improper Handling of Parameters •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-32260
https://notcve.org/view.php?id=CVE-2022-32260
14 Jun 2022 — A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application creates temporary user credentials for UMC (User Management Component) users. An attacker could use these temporary credentials for authentication bypass in certain scenarios. Se ha identificado una vulnerabilidad en SINEMA Remote Connect Server (Todas las versiones anteriores a V3.1). La aplicación afectada crea credenciales de usuario temporales para los usuarios de UMC (User Management ... • https://cert-portal.siemens.com/productcert/html/ssa-381581.html • CWE-286: Incorrect User Management •