Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-35211

Summary
Assigner-siemens
Assigner Org ID-cec7a2ec-15b4-4faf-bd53-b40f371f3a77
Published At-11 Jun, 2024 | 11:15
Updated At-11 Feb, 2025 | 10:28
Rejected At-
Credits

A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions < V1.2). The affected web server, after a successful login, sets the session cookie on the browser, without applying any security attributes (such as “Secure”, “HttpOnly”, or “SameSite”).

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:siemens
Assigner Org ID:cec7a2ec-15b4-4faf-bd53-b40f371f3a77
Published At:11 Jun, 2024 | 11:15
Updated At:11 Feb, 2025 | 10:28
Rejected At:
▼CVE Numbering Authority (CNA)

A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions < V1.2). The affected web server, after a successful login, sets the session cookie on the browser, without applying any security attributes (such as “Secure”, “HttpOnly”, or “SameSite”).

Affected Products
Vendor
Siemens AGSiemens
Product
SINEC Traffic Analyzer
Default Status
unknown
Versions
Affected
  • From 0 before V1.2 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-614CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Type: CWE
CWE ID: CWE-614
Description: CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Metrics
VersionBase scoreBase severityVector
3.15.5MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.06.8MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Version: 3.1
Base score: 5.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Version: 4.0
Base score: 6.8
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://cert-portal.siemens.com/productcert/html/ssa-196737.html
N/A
Hyperlink: https://cert-portal.siemens.com/productcert/html/ssa-196737.html
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://cert-portal.siemens.com/productcert/html/ssa-196737.html
x_transferred
Hyperlink: https://cert-portal.siemens.com/productcert/html/ssa-196737.html
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:productcert@siemens.com
Published At:11 Jun, 2024 | 12:15
Updated At:11 Feb, 2025 | 11:15

A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions < V1.2). The affected web server, after a successful login, sets the session cookie on the browser, without applying any security attributes (such as “Secure”, “HttpOnly”, or “SameSite”).

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.06.8MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.15.5MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Secondary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Type: Secondary
Version: 4.0
Base score: 6.8
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 5.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CPE Matches
Siemens AG
siemens
>>sinec_traffic_analyzer>>Versions before 1.2(exclusive)
cpe:2.3:a:siemens:sinec_traffic_analyzer:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-614Secondaryproductcert@siemens.com
CWE ID: CWE-614
Type: Secondary
Source: productcert@siemens.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://cert-portal.siemens.com/productcert/html/ssa-196737.htmlproductcert@siemens.com
Patch
Vendor Advisory
https://cert-portal.siemens.com/productcert/html/ssa-196737.htmlaf854a3a-2127-422b-91ae-364da2661108
Patch
Vendor Advisory
Hyperlink: https://cert-portal.siemens.com/productcert/html/ssa-196737.html
Source: productcert@siemens.com
Resource:
Patch
Vendor Advisory
Hyperlink: https://cert-portal.siemens.com/productcert/html/ssa-196737.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Patch
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

61Records found
CVE-2020-10048
Matching Score-8
Assigner-Siemens
ShareView Details
Matching Score-8
Assigner-Siemens
CVSS Score-5.5||MEDIUM
EPSS-0.06% / 17.70%
||
7 Day CHG~0.00%
Published-09 Feb, 2021 | 15:38
Updated-04 Aug, 2024 | 10:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in SIMATIC PCS 7 (All versions), SIMATIC WinCC (All versions < V7.5 SP2). Due to an insecure password verification process, an attacker could bypass the password protection set on protected files, thus being granted access to the protected content, circumventing authentication.

Action-Not Available
Vendor-Siemens AG
Product-simatic_winccsimatic_pcs_7SIMATIC PCS 7SIMATIC WinCC
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-287
Improper Authentication
CVE-2020-10052
Matching Score-8
Assigner-Siemens
ShareView Details
Matching Score-8
Assigner-Siemens
CVSS Score-5.5||MEDIUM
EPSS-0.05% / 16.58%
||
7 Day CHG~0.00%
Published-09 Nov, 2021 | 11:31
Updated-04 Aug, 2024 | 10:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in SIMATIC RTLS Locating Manager (All versions < V2.12). The affected application writes sensitive data, such as usernames and passwords in log files. A local attacker with access to the log files could use this information to launch further attacks.

Action-Not Available
Vendor-Siemens AG
Product-simatic_rtls_locating_managerSIMATIC RTLS Locating Manager
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2019-6567
Matching Score-8
Assigner-Siemens
ShareView Details
Matching Score-8
Assigner-Siemens
CVSS Score-5.5||MEDIUM
EPSS-0.05% / 15.95%
||
7 Day CHG~0.00%
Published-12 Jun, 2019 | 13:47
Updated-04 Aug, 2024 | 20:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All Versions < V5.2.4), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions < V5.5.0), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions < V4.1.3), SCALANCE X-414-3E (All versions). The affected devices store passwords in a recoverable format. An attacker may extract and recover device passwords from the device configuration. Successful exploitation requires access to a device configuration backup and impacts confidentiality of the stored passwords.

Action-Not Available
Vendor-Siemens AG
Product-scalance_x-200_firmwarescalance_x-200scalance_x-414-3escalance_x-300scalance_x-200irtscalance_x-300_firmwarescalance_x-414-3e_firmwarescalance_x-200irt_firmwareSCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants)SCALANCE X-200 switch family (incl. SIPLUS NET variants)SCALANCE X-414-3ESCALANCE X-200IRT switch family (incl. SIPLUS NET variants)
CWE ID-CWE-257
Storing Passwords in a Recoverable Format
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2019-19291
Matching Score-8
Assigner-Siemens
ShareView Details
Matching Score-8
Assigner-Siemens
CVSS Score-5.3||MEDIUM
EPSS-0.17% / 37.98%
||
7 Day CHG~0.00%
Published-10 Mar, 2020 | 19:16
Updated-05 Aug, 2024 | 02:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0), SiNVR/SiVMS Video Server (All versions < V5.0.0). The FTP services of the SiVMS/SiNVR Video Server and the Control Center Server (CCS) maintain log files that store login credentials in cleartext. In configurations where the FTP service is enabled, authenticated remote attackers could extract login credentials of other users of the service.

Action-Not Available
Vendor-Siemens AG
Product-sinvr_3_video_serversinvr_3_central_control_serverControl Center Server (CCS)SiNVR/SiVMS Video Server
CWE ID-CWE-313
Cleartext Storage in a File or on Disk
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CVE-2019-18338
Matching Score-8
Assigner-Siemens
ShareView Details
Matching Score-8
Assigner-Siemens
CVSS Score-7.7||HIGH
EPSS-0.72% / 72.53%
||
7 Day CHG~0.00%
Published-12 Dec, 2019 | 19:08
Updated-15 Nov, 2024 | 14:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The Control Center Server (CCS) contains a directory traversal vulnerability in its XML-based communication protocol as provided by default on ports 5444/tcp and 5440/tcp. An authenticated remote attacker with network access to the CCS server could exploit this vulnerability to list arbitrary directories or read files outside of the CCS application context.

Action-Not Available
Vendor-Siemens AG
Product-sinvr_3_video_serversinvr_3_central_control_serverControl Center Server (CCS)
CWE ID-CWE-23
Relative Path Traversal
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2019-18340
Matching Score-8
Assigner-Siemens
ShareView Details
Matching Score-8
Assigner-Siemens
CVSS Score-5.5||MEDIUM
EPSS-0.06% / 17.96%
||
7 Day CHG~0.00%
Published-12 Dec, 2019 | 19:08
Updated-05 Aug, 2024 | 01:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0), Control Center Server (CCS) (All versions >= V1.5.0), SiNVR/SiVMS Video Server (All versions < V5.0.0), SiNVR/SiVMS Video Server (All versions >= V5.0.0). Both the SiVMS/SiNVR Video Server and the Control Center Server (CCS) store user and device passwords by applying weak cryptography. A local attacker could exploit this vulnerability to extract the passwords from the user database and/or the device configuration files to conduct further attacks.

Action-Not Available
Vendor-Siemens AG
Product-sinvr_3_video_serversinvr_3_central_control_serverControl Center Server (CCS)SiNVR/SiVMS Video Server
CWE ID-CWE-327
Use of a Broken or Risky Cryptographic Algorithm
CVE-2021-42015
Matching Score-8
Assigner-Siemens
ShareView Details
Matching Score-8
Assigner-Siemens
CVSS Score-5.5||MEDIUM
EPSS-0.12% / 31.21%
||
7 Day CHG~0.00%
Published-09 Nov, 2021 | 11:32
Updated-04 Aug, 2024 | 03:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.26), Mendix Applications using Mendix 8 (All versions < V8.18.12), Mendix Applications using Mendix 9 (All versions < V9.6.1). Applications built with affected versions of Mendix Studio Pro do not prevent file documents from being cached when files are opened or downloaded using a browser. This could allow a local attacker to read those documents by exploring the browser cache.

Action-Not Available
Vendor-mendixSiemens AG
Product-mendixMendix Applications using Mendix 7Mendix Applications using Mendix 9Mendix Applications using Mendix 8
CWE ID-CWE-525
Use of Web Browser Cache Containing Sensitive Information
CVE-2021-42022
Matching Score-8
Assigner-Siemens
ShareView Details
Matching Score-8
Assigner-Siemens
CVSS Score-6.5||MEDIUM
EPSS-0.43% / 62.89%
||
7 Day CHG~0.00%
Published-14 Dec, 2021 | 12:06
Updated-04 Aug, 2024 | 03:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in SIMATIC eaSie PCS 7 Skill Package (All versions < V21.00 SP3). When downloading files, the affected systems do not properly neutralize special elements within the pathname. An attacker could then cause the pathname to resolve to a location outside of the restricted directory on the server and read unexpected critical files. The affected file download function is disabled by default.

Action-Not Available
Vendor-Siemens AG
Product-simatic_easie_pcs_7_skillSIMATIC eaSie PCS 7 Skill Package
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-41543
Matching Score-8
Assigner-Siemens
ShareView Details
Matching Score-8
Assigner-Siemens
CVSS Score-6.5||MEDIUM
EPSS-0.21% / 43.76%
||
7 Day CHG~0.00%
Published-08 Mar, 2022 | 11:31
Updated-04 Aug, 2024 | 03:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in Climatix POL909 (AWB module) (All versions < V11.44), Climatix POL909 (AWM module) (All versions < V11.36). The handling of log files in the web application of affected devices contains an information disclosure vulnerability which could allow logged in users to access sensitive files.

Action-Not Available
Vendor-Siemens AG
Product-climatix_pol909_firmwareclimatix_pol909Climatix POL909 (AWM module)Climatix POL909 (AWB module)
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2021-40364
Matching Score-8
Assigner-Siemens
ShareView Details
Matching Score-8
Assigner-Siemens
CVSS Score-5.5||MEDIUM
EPSS-0.05% / 16.13%
||
7 Day CHG~0.00%
Published-09 Nov, 2021 | 11:32
Updated-04 Aug, 2024 | 02:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in SIMATIC PCS 7 V8.2 (All versions), SIMATIC PCS 7 V9.0 (All versions < V9.0 SP3 UC04), SIMATIC PCS 7 V9.1 (All versions < V9.1 SP1), SIMATIC WinCC V15 and earlier (All versions < V15 SP1 Update 7), SIMATIC WinCC V16 (All versions < V16 Update 5), SIMATIC WinCC V17 (All versions < V17 Update 2), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Update 19), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 5). The affected systems store sensitive information in log files. An attacker with access to the log files could publicly expose the information or reuse it to develop further attacks on the system.

Action-Not Available
Vendor-Siemens AG
Product-simatic_winccsimatic_pcs_7SIMATIC WinCC V15 and earlierSIMATIC WinCC V17SIMATIC PCS 7 V9.1SIMATIC PCS 7 V9.0SIMATIC WinCC V7.4SIMATIC WinCC V7.5SIMATIC WinCC V16SIMATIC PCS 7 V8.2
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2022-4683
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 33.05%
||
7 Day CHG~0.00%
Published-23 Dec, 2022 | 00:00
Updated-09 Apr, 2025 | 18:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in usememos/memos

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository usememos/memos prior to 0.9.0.

Action-Not Available
Vendor-Usememos
Product-memosusememos/memos
CWE ID-CWE-614
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CWE ID-CWE-311
Missing Encryption of Sensitive Data
  • Previous
  • 1
  • 2
  • Next
Details not found