CVE-2019-13919

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1). Some pages that should only be accessible by a privileged user can also be accessed by a non-privileged user. The security vulnerability could be exploited by an attacker with network access and valid credentials for the web interface. No user interaction is required. The vulnerability could allow an attacker to access information that he should not be able to read. The affected information does not include passwords. At the time of advisory publication no public exploitation of this security vulnerability was known.

CVSS v3 4.3 MEDIUM
CVSS v2.0 4.0 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://cert-portal.siemens.com/productcert/pdf/ssa-884497.pdf	Patch Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-884497.pdf	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:siemens:sinema_remote_connect_server::::::::
	cpe:2.3:a:siemens:sinema_remote_connect_server:2.0:hf1::::::

History

21 Nov 2024, 04:25

Type	Values Removed	Values Added
References	~~() https://cert-portal.siemens.com/productcert/pdf/ssa-884497.pdf - Patch, Vendor Advisory~~	() https://cert-portal.siemens.com/productcert/pdf/ssa-884497.pdf - Patch, Vendor Advisory

Information

Published : 2019-09-13 17:15

Updated : 2024-11-21 04:25

NVD link : CVE-2019-13919

Mitre link : CVE-2019-13919

CVE.ORG link : CVE-2019-13919

JSON object : View

Products Affected

siemens

sinema_remote_connect_server

CWE

CWE-284

Improper Access Control

NVD-CWE-Other

{"id": "CVE-2019-13919", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2019-09-13T17:15:11.803", "references": [{"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-884497.pdf", "tags": ["Patch", "Vendor Advisory"], "source": "productcert@siemens.com"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-884497.pdf", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "productcert@siemens.com", "description": [{"lang": "en", "value": "CWE-284"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1). Some pages that should only be accessible by a privileged user can also be accessed by a non-privileged user. The security vulnerability could be exploited by an attacker with network access and valid credentials for the web interface. No user interaction is required. The vulnerability could allow an attacker to access information that he should not be able to read. The affected information does not include passwords. At the time of advisory publication no public exploitation of this security vulnerability was known."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en SINEMA Remote Connect Server (Todas las versiones anteriores a V2.0 SP1). Algunas p\u00e1ginas que deber\u00edan solo ser accedidas por parte de un usuario privilegiado pueden tambi\u00e9n ser accedidas por un usuario no privilegiado. La vulnerabilidad de seguridad podr\u00eda ser explotada por un atacante con acceso a la red y credenciales v\u00e1lidas para la interfaz web. No se requiere interacci\u00f3n del usuario. La vulnerabilidad podr\u00eda permitir a un atacante acceder a informaci\u00f3n que no deber\u00eda ser capaz de leer. La informaci\u00f3n afectada no incluye contrase\u00f1as. Al momento de la publicaci\u00f3n de asesoramiento, no se conoc\u00eda una explotaci\u00f3n p\u00fablica de esta vulnerabilidad de seguridad."}], "lastModified": "2024-11-21T04:25:41.967", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:siemens:sinema_remote_connect_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "380C606D-43A0-4362-9A5E-BC7320890196", "versionEndIncluding": "2.0"}, {"criteria": "cpe:2.3:a:siemens:sinema_remote_connect_server:2.0:hf1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "33B706BB-C3D7-4BAA-A140-A7AF962F7141"}], "operator": "OR"}]}], "sourceIdentifier": "productcert@siemens.com"}