Siemens Sinema Remote Connect Server
By the Year
In 2024 there have been 16 vulnerabilities in Siemens Sinema Remote Connect Server with an average score of 7.3 out of ten. Sinema Remote Connect Server did not have any published security vulnerabilities last year. That is, 16 more vulnerabilities have already been reported in 2024 as compared to last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2024 | 16 | 7.30 |
2023 | 0 | 0.00 |
2022 | 31 | 7.91 |
2021 | 14 | 6.42 |
2020 | 1 | 7.50 |
2019 | 6 | 6.23 |
2018 | 0 | 0.00 |
It may take a day or so for new Sinema Remote Connect Server vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Siemens Sinema Remote Connect Server Security Vulnerabilities
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP2)
CVE-2024-42345
4.3 - Medium
- September 10, 2024
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP2). The affected application does not properly handle user session establishment and invalidation. This could allow a remote attacker to circumvent the additional multi factor authentication for user session establishment.
Session Fixation
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 HF1)
CVE-2024-39571
8.8 - High
- July 09, 2024
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 HF1). Affected applications are vulnerable to command injection due to missing server side input sanitation when loading SNMP configurations. This could allow an attacker with the right to modify the SNMP configuration to execute arbitrary code with root privileges.
Command Injection
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1)
CVE-2024-39876
4 - Medium
- July 09, 2024
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). Affected applications do not properly handle log rotation. This could allow an unauthenticated remote attacker to cause a denial of service condition through resource exhaustion on the device.
Allocation of Resources Without Limits or Throttling
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1)
CVE-2024-39875
4.3 - Medium
- July 09, 2024
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application allows authenticated, low privilege users with the 'Manage own remote connections' permission to retrieve details about other users and group memberships.
Incorrect Permission Assignment for Critical Resource
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1)
CVE-2024-39871
5.4 - Medium
- July 09, 2024
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). Affected applications do not properly separate the rights to edit device settings and to edit settings for communication relations. This could allow an authenticated attacker with the permission to manage devices to gain access to participant groups that the attacked does not belong to.
AuthZ
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 HF1)
CVE-2024-39570
8.8 - High
- July 09, 2024
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 HF1). Affected applications are vulnerable to command injection due to missing server side input sanitation when loading VxLAN configurations. This could allow an authenticated attacker to execute arbitrary code with root privileges.
Command Injection
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1)
CVE-2024-39874
7.5 - High
- July 09, 2024
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application does not properly implement brute force protection against user credentials in its Client Communication component. This could allow an attacker to learn user credentials that are vulnerable to brute force attacks.
Improper Restriction of Excessive Authentication Attempts
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1)
CVE-2024-39873
7.5 - High
- July 09, 2024
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application does not properly implement brute force protection against user credentials in its web API. This could allow an attacker to learn user credentials that are vulnerable to brute force attacks.
Improper Restriction of Excessive Authentication Attempts
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1)
CVE-2024-39872
9.9 - Critical
- July 09, 2024
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application does not properly assign rights to temporary files created during its update process. This could allow an authenticated attacker with the 'Manage firmware updates' role to escalate their privileges on the underlying OS level.
Creation of Temporary File With Insecure Permissions
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1)
CVE-2024-39870
7.8 - High
- July 09, 2024
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected applications can be configured to allow users to manage own users. A local authenticated user with this privilege could use this modify users outside of their own scope as well as to escalate privileges.
Client-Side Enforcement of Server-Side Security
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1)
CVE-2024-39869
6.5 - Medium
- July 09, 2024
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). Affected products allow to upload certificates. An authenticated attacker could upload a crafted certificates leading to a permanent denial-of-service situation. In order to recover from such an attack, the offending certificate needs to be removed manually.
Improper Check for Unusual or Exceptional Conditions
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1)
CVE-2024-39868
7.3 - High
- July 09, 2024
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). Affected devices do not properly validate the authentication when performing certain actions in the web interface allowing an unauthenticated attacker to access and edit VxLAN configuration information of networks for which they have no privileges.
forced browsing
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1)
CVE-2024-39867
7.3 - High
- July 09, 2024
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). Affected devices do not properly validate the authentication when performing certain actions in the web interface allowing an unauthenticated attacker to access and edit device configuration information of devices for which they have no privileges.
forced browsing
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1)
CVE-2024-39866
8.8 - High
- July 09, 2024
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application allows users to upload encrypted backup files. This could allow an attacker with access to the backup encryption key and with the right to upload backup files to create a user with administrative privileges.
Privilege Defined With Unsafe Actions
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1)
CVE-2024-39865
8.8 - High
- July 09, 2024
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application allows users to upload encrypted backup files. As part of this backup, files can be restored without correctly checking the path of the restored file. This could allow an attacker with access to the backup encryption key to upload malicious files, that could potentially lead to remote code execution.
Unrestricted File Upload
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2)
CVE-2022-32257
9.8 - Critical
- March 12, 2024
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2). The affected application consists of a web service that lacks proper access control for some of the endpoints. This could lead to unauthorized access to resources and potentially lead to code execution.
Authorization
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1)
CVE-2022-32262
9.8 - Critical
- June 14, 2022
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). The affected application contains a file upload server that is vulnerable to command injection. An attacker could use this to achieve arbitrary code execution.
Command Injection
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2)
CVE-2022-27219
4.3 - Medium
- June 14, 2022
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). Affected application is missing general HTTP security headers in the web server configured on port 443. This could aid attackers by making the servers more prone to clickjacking, channel downgrade attacks and other similar client-based attack vectors.
Clickjacking
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2)
CVE-2022-27220
4.3 - Medium
- June 14, 2022
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). Affected application is missing general HTTP security headers in the web server configured on port 6220. This could aid attackers by making the servers more prone to clickjacking, channel downgrade attacks and other similar client-based attack vectors.
Clickjacking
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1)
CVE-2022-29034
6.1 - Medium
- June 14, 2022
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). An error message pop up window in the web interface of the affected application does not prevent injection of JavaScript code. This could allow attackers to perform reflected cross-site scripting (XSS) attacks.
XSS
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1)
CVE-2022-32252
7.8 - High
- June 14, 2022
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). The application does not perform the integrity check of the update packages. Without validation, an admin user might be tricked to install a malicious package, granting root privileges to an attacker.
Insufficient Verification of Data Authenticity
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1)
CVE-2022-32254
7.5 - High
- June 14, 2022
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). A customized HTTP POST request could force the application to write the status of a given user to a log file, exposing sensitive user information that could provide valuable guidance to an attacker.
Insertion of Sensitive Information into Log File
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1)
CVE-2022-32255
5.3 - Medium
- June 14, 2022
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). The affected application consists of a web service that lacks proper access control for some of the endpoints. This could lead to unauthorized access to limited information.
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1)
CVE-2022-32256
6.5 - Medium
- June 14, 2022
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). The affected application consists of a web service that lacks proper access control for some of the endpoints. This could lead to low privileged users accessing privileged information.
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1)
CVE-2022-32260
9.8 - Critical
- June 14, 2022
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application creates temporary user credentials for UMC (User Management Component) users. An attacker could use these temporary credentials for authentication bypass in certain scenarios.
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1)
CVE-2022-32261
7.5 - High
- June 14, 2022
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). The affected application contains a misconfiguration in the APT update. This could allow an attacker to add insecure packages to the application.
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1)
CVE-2022-32258
7.5 - High
- June 14, 2022
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). The affected application contains an older feature that allows to import device configurations via a specific endpoint. An attacker could use this vulnerability for information disclosure.
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1)
CVE-2022-32259
6.5 - Medium
- June 14, 2022
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). The system images for installation or update of the affected application contain unit test scripts with sensitive information. An attacker could gain information about testing architecture and also tamper with test configuration.
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1)
CVE-2022-27221
5.9 - Medium
- June 14, 2022
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). An attacker in machine-in-the-middle could obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack.
Side Channel Attack
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1)
CVE-2022-32251
9.8 - Critical
- June 14, 2022
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). There is a missing authentication verification for a resource used to change the roles and permissions of a user. This could allow an attacker to change the permissions of any user and gain the privileges of an administrative user.
Missing Authentication for Critical Function
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1)
CVE-2022-32253
7.5 - High
- June 14, 2022
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). Due to improper input validation, the OpenSSL certificate's password could be printed to a file reachable by an attacker.
Improper Input Validation
In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model
CVE-2022-25313
6.5 - Medium
- February 18, 2022
In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.
Stack Exhaustion
In Expat (aka libexpat) before 2.4.5
CVE-2022-25314
7.5 - High
- February 18, 2022
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.
Integer Overflow or Wraparound
In Expat (aka libexpat) before 2.4.5
CVE-2022-25315
9.8 - Critical
- February 18, 2022
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.
Integer Overflow or Wraparound
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding
CVE-2022-25235
9.8 - Critical
- February 16, 2022
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.
Output Sanitization
xmlparse.c in Expat (aka libexpat) before 2.4.5
CVE-2022-25236
9.8 - Critical
- February 16, 2022
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.
Exposure of Resource to Wrong Sphere
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0)
CVE-2022-23102
6.1 - Medium
- February 09, 2022
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0). Affected products contain an open redirect vulnerability. An attacker could trick a valid authenticated user to the device into clicking a malicious link there by leading to phishing attacks.
Open Redirect
Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.
CVE-2022-23990
7.5 - High
- January 26, 2022
Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.
Integer Overflow or Wraparound
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer
CVE-2022-23852
9.8 - Critical
- January 24, 2022
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.
Integer Overflow or Wraparound
nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22826
8.8 - High
- January 10, 2022
nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
Integer Overflow or Wraparound
build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22823
9.8 - Critical
- January 10, 2022
build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
Integer Overflow or Wraparound
defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22824
9.8 - Critical
- January 10, 2022
defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
Integer Overflow or Wraparound
lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22825
8.8 - High
- January 10, 2022
lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
Integer Overflow or Wraparound
storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22827
8.8 - High
- January 10, 2022
storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
Integer Overflow or Wraparound
addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22822
9.8 - Critical
- January 10, 2022
addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
Integer Overflow or Wraparound
In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3
CVE-2021-46143
7.8 - High
- January 06, 2022
In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.
Integer Overflow or Wraparound
In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c
CVE-2021-45960
8.8 - High
- January 01, 2022
In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).
Incorrect Calculation
The in-memory certificate cache in strongSwan before 5.9.4 has a remote integer overflow upon receiving many requests with different certificates to fill the cache and later trigger the replacement of cache entries
CVE-2021-41991
7.5 - High
- October 18, 2021
The in-memory certificate cache in strongSwan before 5.9.4 has a remote integer overflow upon receiving many requests with different certificates to fill the cache and later trigger the replacement of cache entries. The code attempts to select a less-often-used cache entry by means of a random number generator, but this is not done correctly. Remote code execution might be a slight possibility.
Integer Overflow or Wraparound
Malformed requests may cause the server to dereference a NULL pointer
CVE-2021-34798
7.5 - High
- September 16, 2021
Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.
NULL Pointer Dereference
A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user
CVE-2021-40438
9 - Critical
- September 16, 2021
A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.
XSPA
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2)
CVE-2021-37177
6.5 - Medium
- September 14, 2021
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). The status provided by the syslog clients managed by the affected software can be manipulated by an unauthenticated attacker in the same network of the affected system.
MAID
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2)
CVE-2021-37193
4.3 - Medium
- September 14, 2021
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). An unauthenticated attacker in the same network of the affected system could manipulate certain parameters and set a valid user of the affected software as invalid (or vice-versa).
MAID
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2)
CVE-2021-37192
4.3 - Medium
- September 14, 2021
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). The affected software has an information disclosure vulnerability that could allow an attacker to retrieve a list of network devices a known user can manage.
Information Disclosure
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2)
CVE-2021-37191
4.3 - Medium
- September 14, 2021
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). An unauthenticated attacker in the same network of the affected system could brute force the usernames from the affected software.
Insufficient anti-automation
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2)
CVE-2021-37190
4.3 - Medium
- September 14, 2021
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). The affected software has an information disclosure vulnerability that could allow an attacker to retrieve VPN connection for a known user.
Information Disclosure
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2)
CVE-2021-37183
6.5 - Medium
- September 14, 2021
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). The affected software allows sending send-to-sleep notifications to the managed devices. An unauthenticated attacker in the same network of the affected system can abuse these notifications to cause a Denial-of-Service condition in the managed devices.
libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*
CVE-2021-22924
3.7 - Low
- August 05, 2021
libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.
Use of Incorrectly-Resolved Name or Reference
curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl
CVE-2021-22925
5.3 - Medium
- August 05, 2021
curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.
Use of Uninitialized Resource
A buffer over-read vulnerability exists in Wibu-Systems CodeMeter versions < 7.21a
CVE-2021-20093
9.1 - Critical
- June 16, 2021
A buffer over-read vulnerability exists in Wibu-Systems CodeMeter versions < 7.21a. An unauthenticated remote attacker can exploit this issue to disclose heap memory contents or crash the CodeMeter Runtime Server.
Out-of-bounds Read
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0)
CVE-2020-25240
8.8 - High
- March 15, 2021
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0). Unpriviledged users can access services when guessing the url. An attacker could impact availability, integrity and gain information from logs and templates of the service.
AuthZ
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0)
CVE-2020-25239
8.8 - High
- March 15, 2021
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0). The webserver could allow unauthorized actions via special urls for unpriviledged users. The settings of the UMC authorization server could be changed to add a rogue server by an attacker authenticating with unprivilege user rights.
AuthZ
xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
CVE-2020-7595
7.5 - High
- January 21, 2020
xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
Infinite Loop
xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs.
CVE-2019-19956
7.5 - High
- December 24, 2019
xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs.
Missing Release of Resource after Effective Lifetime
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1)
CVE-2019-13922
2.7 - Low
- September 13, 2019
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1). An attacker with administrative privileges can obtain the hash of a connected device's password. The security vulnerability could be exploited by an attacker with network access to the SINEMA Remote Connect Server and administrative privileges. At the time of advisory publication no public exploitation of this security vulnerability was known.
Missing Encryption of Sensitive Data
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1)
CVE-2019-13920
4.3 - Medium
- September 13, 2019
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1). Some parts of the web application are not protected against Cross Site Request Forgery (CSRF) attacks. The security vulnerability could be exploited by an attacker that is able to trigger requests of a logged-in user to the application. The vulnerability could allow switching the connectivity state of a user or a device. At the time of advisory publication no public exploitation of this security vulnerability was known.
Session Riding
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1)
CVE-2019-13919
4.3 - Medium
- September 13, 2019
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1). Some pages that should only be accessible by a privileged user can also be accessed by a non-privileged user. The security vulnerability could be exploited by an attacker with network access and valid credentials for the web interface. No user interaction is required. The vulnerability could allow an attacker to access information that he should not be able to read. The affected information does not include passwords. At the time of advisory publication no public exploitation of this security vulnerability was known.
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1)
CVE-2019-13918
9.8 - Critical
- September 13, 2019
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1). The web interface has no means to prevent password guessing attacks. The vulnerability could be exploited by an attacker with network access to the vulnerable software, requiring no privileges and no user interaction. The vulnerability could allow full access to the web interface. At the time of advisory publication no public exploitation of this security vulnerability was known.
Weak Password Requirements
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0)
CVE-2019-6570
8.8 - High
- April 17, 2019
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0). Due to insufficient checking of user permissions, an attacker may access URLs that require special authorization. An attacker must have access to a low privileged account in order to exploit the vulnerability.
Improper Handling of Insufficient Permissions or Privileges
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Siemens Sinema Remote Connect Server or by Siemens? Click the Watch button to subscribe.