CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41796
https://notcve.org/view.php?id=CVE-2024-41796
08 Apr 2025 — A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices allows to change the login password without knowing the current password. In combination with a prepared CSRF attack (CVE-2024-41795) an unauthenticated attacker could be able to set the password to an attacker-controlled value. • https://cert-portal.siemens.com/productcert/html/ssa-187636.html • CWE-620: Unverified Password Change •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41795
https://notcve.org/view.php?id=CVE-2024-41795
08 Apr 2025 — A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices is vulnerable to Cross-Site Request Forgery (CSRF) attacks. This could allow an unauthenticated attacker to change arbitrary device settings by tricking a legitimate device administrator to click on a malicious link. • https://cert-portal.siemens.com/productcert/html/ssa-187636.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41794
https://notcve.org/view.php?id=CVE-2024-41794
08 Apr 2025 — A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). Affected devices contain hardcoded credentials for remote access to the device operating system with root privileges. This could allow unauthenticated remote attackers to gain full access to a device, if they are in possession of these credentials and if the ssh service is enabled (e.g., by exploitation of CVE-2024-41793). • https://cert-portal.siemens.com/productcert/html/ssa-187636.html • CWE-798: Use of Hard-coded Credentials •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41793
https://notcve.org/view.php?id=CVE-2024-41793
08 Apr 2025 — A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices provides an endpoint that allows to enable the ssh service without authentication. This could allow an unauthenticated remote attacker to enable remote access to the device via ssh. • https://cert-portal.siemens.com/productcert/html/ssa-187636.html • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41792
https://notcve.org/view.php?id=CVE-2024-41792
08 Apr 2025 — A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices contains a path traversal vulnerability. This could allow an unauthenticated attacker it to access arbitrary files on the device with root privileges. • https://cert-portal.siemens.com/productcert/html/ssa-187636.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41791
https://notcve.org/view.php?id=CVE-2024-41791
08 Apr 2025 — A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices does not authenticate report creation requests. This could allow an unauthenticated remote attacker to read or clear the log files on the device, reset the device or set the date and time. • https://cert-portal.siemens.com/productcert/html/ssa-187636.html • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41790
https://notcve.org/view.php?id=CVE-2024-41790
08 Apr 2025 — A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices does not sanitize the region parameter in specific POST requests. This could allow an authenticated remote attacker to execute arbitrary code with root privileges. • https://cert-portal.siemens.com/productcert/html/ssa-187636.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41789
https://notcve.org/view.php?id=CVE-2024-41789
08 Apr 2025 — A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices does not sanitize the language parameter in specific POST requests. This could allow an authenticated remote attacker to execute arbitrary code with root privileges. • https://cert-portal.siemens.com/productcert/html/ssa-187636.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41788
https://notcve.org/view.php?id=CVE-2024-41788
08 Apr 2025 — A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices does not sanitize the input parameters in specific GET requests. This could allow an authenticated remote attacker to execute arbitrary code with root privileges. • https://cert-portal.siemens.com/productcert/html/ssa-187636.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •