Siemens Sinec Nms vulnerabilities

CVE-2024-41938 [MEDIUM] CWE-22 CVE-2024-41938: A vulnerability has been identified in SINEC NMS (All versions < V3.0). The importCertificate functi A vulnerability has been identified in SINEC NMS (All versions < V3.0). The importCertificate function of the SINEC NMS Control web application contains a path traversal vulnerability. This could allow an authenticated attacker it to delete arbitrary certificate files on the drive SINEC NMS is installed on.

CVE-2023-46280 [HIGH] CWE-125 CVE-2023-46280: A vulnerability has been identified in Security Configuration Tool (SCT) (All versions), SIMATIC Aut A vulnerability has been identified in Security Configuration Tool (SCT) (All versions), SIMATIC Automation Tool (All versions < V5.0 SP2), SIMATIC BATCH V9.1 (All versions < V9.1 SP2 Upd5), SIMATIC NET PC Software V16 (All versions < V16 Update 8), SIMATIC NET PC Software V17 (All versions), SIMATIC NET PC Software V18 (All versions < V18 SP1), SIMAT

CVE-2024-31978 [HIGH] CWE-22 CVE-2024-31978: A vulnerability has been identified in SINEC NMS (All versions < V2.0 SP2). Affected devices allow a A vulnerability has been identified in SINEC NMS (All versions < V2.0 SP2). Affected devices allow authenticated users to export monitoring data. The corresponding API endpoint is susceptible to path traversal and could allow an authenticated attacker to download files from the file system. Under certain circumstances the downloaded files are deleted f

CVE-2024-23810 [CRITICAL] CWE-89 CVE-2024-23810: A vulnerability has been identified in SINEC NMS (All versions < V2.0 SP1). The affected application A vulnerability has been identified in SINEC NMS (All versions < V2.0 SP1). The affected application is vulnerable to SQL injection. This could allow an unauthenticated remote attacker to execute arbitrary SQL queries on the server database.

CVE-2024-23812 [HIGH] CWE-78 CVE-2024-23812: A vulnerability has been identified in SINEC NMS (All versions < V2.0 SP1). The affected application A vulnerability has been identified in SINEC NMS (All versions < V2.0 SP1). The affected application incorrectly neutralizes special elements when creating a report which could lead to command injection.

CVE-2024-23811 [HIGH] CWE-434 CVE-2024-23811: A vulnerability has been identified in SINEC NMS (All versions < V2.0 SP1). The affected application A vulnerability has been identified in SINEC NMS (All versions < V2.0 SP1). The affected application allows users to upload arbitrary files via TFTP. This could allow an attacker to upload malicious firmware images or other files, that could potentially lead to remote code execution.

CVE-2023-46281 [HIGH] CWE-942 CVE-2023-46281: A vulnerability has been identified in Opcenter Execution Foundation (All versions < V2407), Opcente A vulnerability has been identified in Opcenter Execution Foundation (All versions < V2407), Opcenter Quality (All versions < V2312), SIMATIC PCS neo (All versions < V4.1), SINEC NMS (All versions < V2.0 SP1), Totally Integrated Automation Portal (TIA Portal) V14 (All versions), Totally Integrated Automation Portal (TIA Portal) V15.1 (All versions), T

CVE-2023-46285 [HIGH] CWE-20 CVE-2023-46285: A vulnerability has been identified in Opcenter Execution Foundation (All versions < V2407), Opcente A vulnerability has been identified in Opcenter Execution Foundation (All versions < V2407), Opcenter Quality (All versions < V2312), SIMATIC PCS neo (All versions < V4.1), SINEC NMS (All versions < V2.0 SP1), Totally Integrated Automation Portal (TIA Portal) V14 (All versions), Totally Integrated Automation Portal (TIA Portal) V15.1 (All versions), To

CVE-2023-46284 [HIGH] CWE-120 CVE-2023-46284: A vulnerability has been identified in Opcenter Execution Foundation (All versions < V2407), Opcente A vulnerability has been identified in Opcenter Execution Foundation (All versions < V2407), Opcenter Quality (All versions < V2312), SIMATIC PCS neo (All versions < V4.1), SINEC NMS (All versions < V2.0 SP1), Totally Integrated Automation Portal (TIA Portal) V14 (All versions), Totally Integrated Automation Portal (TIA Portal) V15.1 (All versions), T

CVE-2023-46283 [HIGH] CWE-120 CVE-2023-46283: A vulnerability has been identified in Opcenter Execution Foundation (All versions < V2407), Opcente A vulnerability has been identified in Opcenter Execution Foundation (All versions < V2407), Opcenter Quality (All versions < V2312), SIMATIC PCS neo (All versions < V4.1), SINEC NMS (All versions < V2.0 SP1), Totally Integrated Automation Portal (TIA Portal) V14 (All versions), Totally Integrated Automation Portal (TIA Portal) V15.1 (All versions), T

CVE-2023-46282 [MEDIUM] CWE-79 CVE-2023-46282: A vulnerability has been identified in Opcenter Execution Foundation (All versions < V2407), Opcente A vulnerability has been identified in Opcenter Execution Foundation (All versions < V2407), Opcenter Quality (All versions < V2312), SIMATIC PCS neo (All versions < V4.1), SINEC NMS (All versions < V2.0 SP1), Totally Integrated Automation Portal (TIA Portal) V14 (All versions), Totally Integrated Automation Portal (TIA Portal) V15.1 (All versions),

CVE-2022-30527 [HIGH] CWE-732 CVE-2022-30527: A vulnerability has been identified in SINEC NMS (All versions < V2.0). The affected application ass A vulnerability has been identified in SINEC NMS (All versions < V2.0). The affected application assigns improper access rights to specific folders containing executable files and libraries. This could allow an authenticated local attacker to inject arbitrary code and escalate privileges.

CVE-2023-44487 [HIGH] CWE-400 CVE-2023-44487: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancell The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVE-2023-44315 [MEDIUM] CWE-79 CVE-2023-44315: A vulnerability has been identified in SINEC NMS (All versions < V2.0). The affected application imp A vulnerability has been identified in SINEC NMS (All versions < V2.0). The affected application improperly sanitizes certain SNMP configuration data retrieved from monitored devices. An attacker with access to a monitored device could prepare a stored cross-site scripting (XSS) attack that may lead to unintentional modification of application data b

CVE-2022-25311 [HIGH] CWE-269 CVE-2022-25311: A vulnerability has been identified in SINEC NMS (All versions >= V1.0.3 < V2.0), SINEC NMS (All ver A vulnerability has been identified in SINEC NMS (All versions >= V1.0.3 < V2.0), SINEC NMS (All versions < V1.0.3), SINEMA Server V14 (All versions). The affected software do not properly check privileges between users during the same web browser session, creating an unintended sphere of control. This could allow an authenticated low privileged user

CVE-2022-24281 [HIGH] CWE-89 CVE-2022-24281: A vulnerability has been identified in SINEC NMS (All versions < V1.0.3), SINEMA Server V14 (All ver A vulnerability has been identified in SINEC NMS (All versions < V1.0.3), SINEMA Server V14 (All versions). A privileged authenticated attacker could execute arbitrary commands in the local database by sending specially crafted requests to the webserver of the affected application.

CVE-2022-24282 [HIGH] CWE-502 CVE-2022-24282: A vulnerability has been identified in SINEC NMS (All versions >= V1.0.3 < V2.0), SINEC NMS (All ver A vulnerability has been identified in SINEC NMS (All versions >= V1.0.3 < V2.0), SINEC NMS (All versions < V1.0.3), SINEMA Server V14 (All versions). The affected system allows to upload JSON objects that are deserialized to Java objects. Due to insecure deserialization of user-supplied content by the affected software, a privileged attacker could ex

CVE-2021-42550 [MEDIUM] CWE-502 CVE-2021-42550: In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit config In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.

CVE-2021-33724 [CRITICAL] CWE-22 CVE-2021-33724: A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). The affected sy A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). The affected system contains an Arbitrary File Deletion vulnerability that possibly allows to delete an arbitrary file or directory under a user controlled path.

CVE-2021-33725 [CRITICAL] CWE-22 CVE-2021-33725: A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). The affected sy A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). The affected system allows to delete arbitrary files or directories under a user controlled path and does not correctly check if the relative path is still within the intended target directory.