CVE-2022-25311

A vulnerability has been identified in SINEC NMS (All versions >= V1.0.3 < V2.0), SINEC NMS (All versions < V1.0.3), SINEMA Server V14 (All versions). The affected software do not properly check privileges between users during the same web browser session, creating an unintended sphere of control. This could allow an authenticated low privileged user to achieve privilege escalation.

CVSS v3 7.3 HIGH
CVSS v2.0 6.5 MEDIUM

7.3^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.3 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://cert-portal.siemens.com/productcert/pdf/ssa-250085.pdf	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:siemens:sinec_network_management_system::::::::
	cpe:2.3:a:siemens:sinema_server:14.0:::::::*

History

10 Oct 2023, 11:15

Type	Values Removed	Values Added
Summary	A vulnerability has been identified in SINEC NMS (All versions < V1.0.3), SINEC NMS (All versions >= V1.0.3), SINEMA Server V14 (All versions). The affected software do not properly check privileges between users during the same web browser session, creating an unintended sphere of control. This could allow an authenticated low privileged user to achieve privilege escalation.	A vulnerability has been identified in SINEC NMS (All versions >= V1.0.3 < V2.0), SINEC NMS (All versions < V1.0.3), SINEMA Server V14 (All versions). The affected software do not properly check privileges between users during the same web browser session, creating an unintended sphere of control. This could allow an authenticated low privileged user to achieve privilege escalation.
CWE	~~NVD-CWE-Other~~	CWE-269

10 Jul 2023, 19:34

Type	Values Removed	Values Added
CPE		cpe:2.3:a:siemens:sinema_server:14.0:::::::*
CWE	~~CWE-269~~	NVD-CWE-Other
First Time		Siemens sinema Server

Information

Published : 2022-03-08 12:15

Updated : 2024-02-28 19:09

NVD link : CVE-2022-25311

Mitre link : CVE-2022-25311

CVE.ORG link : CVE-2022-25311

JSON object : View

Products Affected

siemens

sinema_server
sinec_network_management_system

CWE

CWE-269

Improper Privilege Management

NVD-CWE-Other

7.3 /10