Lucene search

SiemensCVELIST:CVE-2023-35796

HistoryOct 10, 2023 - 10:21 a.m.

CVE-2023-35796

2023-10-1010:21:20

CWE-79

siemens

www.cve.org

vulnerability

sinema server v14

stored cross-site scripting

arbitrary code execution

snmp configuration

application server

zdi-can-19823

CVSS3

8.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C

AI Score

8.7

Confidence

High

EPSS

0.001

Percentile

41.5%

JSON

A vulnerability has been identified in SINEMA Server V14 (All versions). The affected application improperly sanitizes certain SNMP configuration data retrieved from monitored devices. An attacker with access to a monitored device could perform a stored cross-site scripting (XSS) attack that may lead to arbitrary code execution with SYSTEM privileges on the application server. (ZDI-CAN-19823)

CNA Affected

[
  {
    "vendor": "Siemens",
    "product": "SINEMA Server V14",
    "versions": [
      {
        "version": "All versions",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

cert-portal.siemens.com/productcert/pdf/ssa-594373.pdf

CVSS3

8.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C

AI Score

8.7

Confidence

High

EPSS

0.001

Percentile

41.5%

JSON

Related for CVELIST:CVE-2023-35796