First published: Tue Nov 12 2024(Updated: )
A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). The affected application does not properly invalidate sessions when the associated user is deleted or disabled or their permissions are modified. This could allow an authenticated attacker to continue performing malicious actions even after their user account has been disabled.
Credit: productcert@siemens.com
Affected Software | Affected Version | How to fix |
---|---|---|
Siemens SINEC Ins | <1.0 | |
Siemens SINEC Ins | =1.0 | |
Siemens SINEC Ins | =1.0-sp1 | |
Siemens SINEC Ins | =1.0-sp2 | |
Siemens SINEC Ins | =1.0-sp2_update_1 | |
Siemens SINEC Ins | =1.0-sp2_update_2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2024-46892 is considered a high-severity vulnerability due to its potential for unauthorized session persistence.
To fix CVE-2024-46892, upgrade your SINEC INS application to version 1.0 SP2 Update 3 or later.
CVE-2024-46892 allows authenticated attackers to continue performing actions under deleted or disabled user sessions.
CVE-2024-46892 affects all versions of SINEC INS prior to V1.0 SP2 Update 3.
CVE-2024-46892 may lead to unauthorized access since session invalidation does not occur when user permissions are modified.