Medium

Analysis Summary

CVE-2024-41683 CVSS:5.3

Siemens Location Intelligence could allow a remote attacker to obtain sensitive information, caused by the failure to properly enforce a strong user password policy. An attacker could exploit this vulnerability to facilitate a brute force attack against legitimate user passwords.

CVE-2024-41938 CVSS:5.5

Siemens SINEC NMS contains a path traversal vulnerability. By sending a specially crafted request to the importCertificate function, a remote authenticated attacker could exploit this vulnerability to delete arbitrary certificate files on the drive SINEC NMS is installed on.

CVE-2024-41905 CVSS:6.8

Siemens SINEC Traffic Analyzer could allow a remote authenticated attacker to obtain sensitive information. The affected application does not have access control for accessing the files. An attacker could exploit this vulnerability to get access to sensitive information.

CVE-2024-41941 CVSS:4.3

Siemens SINEC NMS could allow a remote authenticated attacker to bypass security restrictions, caused by the failure to properly enforce authorization checks. An attacker could exploit this vulnerability to bypass the checks and modify settings in the application without authorization.

Impact

• Information Disclosure

Indicators of Compromise

CVE

• CVE-2024-41683
• CVE-2024-41938
• CVE-2024-41905
• CVE-2024-41941

Affected Vendors

Affected Products

• Siemens SINEC NMS - 2.0
• Siemens Location Intelligence family - 4.0
• Siemens SINEC NMS - 2.0 Siemens SINEC Traffic Analyzer - 1.0

Remediation

Refer to Siemens Security Advisory Advisory for patch, upgrade or suggested workaround information.

CVE-2024-41683

CVE-2024-41938

CVE-2024-41905

CVE-2024-41941