CVE-2022-25311

CWE-269 — Improper Privilege Management3 documents3 sources

Severity

8.8HIGH

EPSS

0.1%

top 65.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Siemens Sinec Network Management System Siemens Sinec NMS Siemens Sinema Server V14 +1 more

Timeline

PublishedMar 8

Latest updateMar 9

Description

A vulnerability has been identified in SINEC NMS (All versions >= V1.0.3 < V2.0), SINEC NMS (All versions < V1.0.3), SINEMA Server V14 (All versions). The affected software do not properly check privileges between users during the same web browser session, creating an unintended sphere of control. This could allow an authenticated low privileged user to achieve privilege escalation.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 1.3 | Impact: 5.9

Affected Packages4 packages

▶NVDsiemens/sinec_network_management_system< 1.0.3

▶CVEListV5siemens/sinec_nmsAll versions < V1.0.3, All versions >= V1.0.3 < V2.0+1

▶NVDsiemens/sinema_server14.0

▶CVEListV5siemens/sinema_server_v14All versions

🔴Vulnerability Details

GHSA

GHSA-35fm-4q2r-j938: A vulnerability has been identified in SINEC NMS (All versions)↗2022-03-09

▶

CVEList

CVE-2022-25311: A vulnerability has been identified in SINEC NMS (All versions >= V1↗2022-03-08

▶