Siemens Sipass Integrated vulnerabilities

CVE-2025-40772 [HIGH] CWE-79 CVE-2025-40772: A vulnerability has been identified in SiPass integrated (All versions < V3.0). Affected server appl A vulnerability has been identified in SiPass integrated (All versions < V3.0). Affected server applications are vulnerable to stored Cross-Site Scripting (XSS), allowing an attacker to inject malicious code that can be executed by other users when they visit the affected page. Successful exploitation allows an attacker to impersonate other users with

CVE-2025-40774 [MEDIUM] CWE-257 CVE-2025-40774: A vulnerability has been identified in SiPass integrated (All versions < V3.0). Affected server appl A vulnerability has been identified in SiPass integrated (All versions < V3.0). Affected server applications store user passwords encrypted in its database. Decryption keys are accessible to users with administrative privileges, allowing them to recover passwords. Successful exploitation of this vulnerability allows an attacker to obtain and use va

CVE-2025-40773 [MEDIUM] CWE-639 CVE-2025-40773: A vulnerability has been identified in SiPass integrated (All versions < V3.0). Affected server appl A vulnerability has been identified in SiPass integrated (All versions < V3.0). Affected server applications contains a broken access control vulnerability. The authorization mechanism lacks sufficient server-side checks, allowing an attacker to execute a specific API request. Successful exploitation allows an attacker to potentially manipulate dat

CVE-2022-31812 [HIGH] CWE-125 CVE-2022-31812: A vulnerability has been identified in SiPass integrated (All versions < V2.95.3.18). Affected serve A vulnerability has been identified in SiPass integrated (All versions < V2.95.3.18). Affected server applications contain an out of bounds read past the end of an allocated buffer while checking the integrity of incoming packets. This could allow an unauthenticated remote attacker to create a denial of service condition.

CVE-2022-31810 [HIGH] CWE-20 CVE-2022-31810: A vulnerability has been identified in SiPass integrated (All versions < V2.90.3.8). Affected server A vulnerability has been identified in SiPass integrated (All versions < V2.90.3.8). Affected server applications improperly check the size of data packets received for the configuration client login, causing a stack-based buffer overflow. This could allow an unauthenticated remote attacker to crash the server application, creating a denial of service

CVE-2022-22965 [CRITICAL] CWE-94 CVE-2022-22965: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execut A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature

CVE-2021-44523 [CRITICAL] CWE-668 CVE-2021-44523: A vulnerability has been identified in SiPass integrated V2.76 (All versions), SiPass integrated V2. A vulnerability has been identified in SiPass integrated V2.76 (All versions), SiPass integrated V2.80 (All versions), SiPass integrated V2.85 (All versions), Siveillance Identity V1.5 (All versions), Siveillance Identity V1.6 (All versions < V1.6.284.0). Affected applications insufficiently limit the access to the internal activity feed database.

CVE-2021-44524 [CRITICAL] CWE-668 CVE-2021-44524: A vulnerability has been identified in SiPass integrated V2.76 (All versions), SiPass integrated V2. A vulnerability has been identified in SiPass integrated V2.76 (All versions), SiPass integrated V2.80 (All versions), SiPass integrated V2.85 (All versions), Siveillance Identity V1.5 (All versions), Siveillance Identity V1.6 (All versions < V1.6.284.0). Affected applications insufficiently limit the access to the internal user authentication ser

CVE-2021-45046 [CRITICAL] CVE-2021-45046: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context M

CVE-2021-44522 [HIGH] CWE-668 CVE-2021-44522: A vulnerability has been identified in SiPass integrated V2.76 (All versions), SiPass integrated V2. A vulnerability has been identified in SiPass integrated V2.76 (All versions), SiPass integrated V2.80 (All versions), SiPass integrated V2.85 (All versions), Siveillance Identity V1.5 (All versions), Siveillance Identity V1.6 (All versions < V1.6.284.0). Affected applications insufficiently limit the access to the internal message broker system. This

CVE-2021-44228 [CRITICAL] CWE-20 CVE-2021-44228: Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LD

CVE-2017-9939 [CRITICAL] CWE-287 CVE-2017-9939: A vulnerability was discovered in Siemens SiPass integrated (All versions before V2.70) that could a A vulnerability was discovered in Siemens SiPass integrated (All versions before V2.70) that could allow an attacker with network access to the SiPass integrated server to bypass the authentication mechanism and perform administrative operations.

CVE-2017-9940 [HIGH] CWE-269 CVE-2017-9940: A vulnerability was discovered in Siemens SiPass integrated (All versions before V2.70) that could a A vulnerability was discovered in Siemens SiPass integrated (All versions before V2.70) that could allow an attacker with access to a low-privileged user account to read or write files on the file system of the SiPass integrated server over the network.

CVE-2017-9941 [HIGH] CWE-300 CVE-2017-9941: A vulnerability was discovered in Siemens SiPass integrated (All versions before V2.70) that could a A vulnerability was discovered in Siemens SiPass integrated (All versions before V2.70) that could allow an attacker in a Man-in-the-Middle position between the SiPass integrated server and SiPass integrated clients to read or modify the network communication.

CVE-2017-9942 [HIGH] CWE-257 CVE-2017-9942: A vulnerability was discovered in Siemens SiPass integrated (All versions before V2.70) that could a A vulnerability was discovered in Siemens SiPass integrated (All versions before V2.70) that could allow an attacker with local access to the SiPass integrated server or SiPass integrated client to potentially obtain credentials from the systems.

CVE-2012-5409 [CRITICAL] CWE-119 CVE-2012-5409: AscoServer.exe in the server in Siemens SiPass integrated MP2.6 and earlier does not properly handle AscoServer.exe in the server in Siemens SiPass integrated MP2.6 and earlier does not properly handle IOCP RPC messages received over an Ethernet network, which allows remote attackers to write data to any memory location and consequently execute arbitrary code via crafted messages, as demonstrated by an arbitrary pointer dereference attack or a buff