Products
SINEMA Remote Connect Server
- < V3.2 SP2
sinema_remote_connect_server
- *
sinema_remote_connect_server
- 3
- .
- 2
Source
productcert@siemens.com
Tags
CVE-2024-42345 details
Last Modified : Sept. 10, 2024, 6:54 p.m.
Description
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP2). The affected application does not properly handle user session establishment and invalidation. This could allow a remote attacker to circumvent the additional multi factor authentication for user session establishment.
CVSS Score
| 1 | 2 | 3 | 4.3 | 5 | 6 | 7 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-384 | Session Fixation | Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
Base Score
4.3
Exploitability Score
2.8
Impact Score
1.4
Base Severity
MEDIUM
Vector String : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
References
| URL | Source |
|---|---|
| https://cert-portal.siemens.com/productcert/html/ssa-869574.html | productcert@siemens.com |
CPEs
| Type | Vendor | Product | Version | Update | Edition | Language | Software Edition | Target Software | Target Hardware | Other Information |
|---|---|---|---|---|---|---|---|---|---|---|
| a | siemens | sinema_remote_connect_server | / | / | / | / | / | / | / | / |
| a | siemens | sinema_remote_connect_server | 3.2 | - | / | / | / | / | / | / |
| a | siemens | sinema_remote_connect_server | 3.2 | hf1 | / | / | / | / | / | / |
| a | siemens | sinema_remote_connect_server | 3.2 | sp1 | / | / | / | / | / | / |