VYPR

Sinec Ins

by Siemens Foundation

CVEs (19)

  • CVE-2022-45092CriJan 10, 2023
    risk 0.67cvss 9.9epss 0.31

    A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 1). An authenticated remote attacker with access to the Web Based Management (443/tcp) of the affected product, could potentially read and write arbitrary files from and to the device's file system.…

  • CVE-2023-44487HigKEVOct 10, 2023
    risk 0.65cvss 7.5epss 1.00

    The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

  • CVE-2024-46888CriNov 12, 2024
    risk 0.64cvss 9.9epss 0.01

    A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). The affected application does not properly sanitize user provided paths for SFTP-based file up- and downloads. This could allow an authenticated remote attacker to manipulate arbitrary files on…

  • CVE-2024-46890CriNov 12, 2024
    risk 0.59cvss 9.1epss 0.01

    A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). The affected application does not properly validate input sent to specific endpoints of its web API. This could allow an authenticated remote attacker with high privileges on the application to…

  • CVE-2026-46748HigJun 9, 2026
    risk 0.57cvss 8.8epss 0.00

    A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected system includes a binary that is configured with the cap_dac_override capability. This capability allows the process to bypass file system permission checks, resulting in…

  • CVE-2026-46746HigJun 9, 2026
    risk 0.57cvss 8.8epss 0.00

    A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The application does not properly sanitize user input in the /api/sftp/uploadFiles endpoint, allowing the injection of shell command payloads via crafted directory names. These payloads are…

  • CVE-2022-45094HigJan 10, 2023
    risk 0.55cvss 8.4epss 0.01

    A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 1). An authenticated remote attacker with access to the Web Based Management (443/tcp) of the affected product, could potentially inject commands into the dhcpd configuration of the affected…

  • CVE-2022-45093HigJan 10, 2023
    risk 0.55cvss 8.5epss 0.01

    A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 1). An authenticated remote attacker with access to the Web Based Management (443/tcp) of the affected product as well as with access to the SFTP server of the affected product (22/tcp), could…

  • CVE-2023-48427HigDec 12, 2023
    risk 0.53cvss 8.1epss 0.00

    A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 2). Affected products do not properly validate the certificate of the configured UMC server. This could allow an attacker to intercept credentials that are sent to the UMC server as well as to…

  • CVE-2026-46749HigJun 9, 2026
    risk 0.49cvss 7.5epss 0.00

    A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected application uses a password hashing implementation with a static, hardcoded salt shared across all users and installations, and is configured with an insufficient number of…

  • CVE-2023-48428HigDec 12, 2023
    risk 0.47cvss 7.2epss 0.01

    A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 2). The radius configuration mechanism of affected products does not correctly check uploaded certificates. A malicious admin could upload a crafted certificate resulting in a denial-of-service…

  • CVE-2023-48431MedDec 12, 2023
    risk 0.44cvss 6.8epss 0.01

    A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 2). Affected software does not correctly validate the response received by an UMC server. An attacker can use this to crash the affected software by providing and configuring a malicious UMC server…

  • CVE-2024-46894MedNov 12, 2024
    risk 0.41cvss 6.3epss 0.00

    A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). The affected application does not properly validate authorization of a user to query the "/api/sftp/users" endpoint. This could allow an authenticated remote attacker to gain knowledge about the…

  • CVE-2024-46891MedNov 12, 2024
    risk 0.34cvss 5.3epss 0.01

    A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). The affected application does not properly restrict the size of generated log files. This could allow an unauthenticated remote attacker to trigger a large amount of logged events to exhaust the…

  • CVE-2024-46889MedNov 12, 2024
    risk 0.34cvss 5.3epss 0.00

    A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). The affected application uses hard-coded cryptographic key material to obfuscate configuration files. This could allow an attacker to learn that cryptographic key material through reverse…

  • CVE-2024-46892MedNov 12, 2024
    risk 0.32cvss 4.9epss 0.00

    A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). The affected application does not properly invalidate sessions when the associated user is deleted or disabled or their permissions are modified. This could allow an authenticated attacker to…

  • CVE-2026-46747MedJun 9, 2026
    risk 0.28cvss 4.3epss 0.00

    A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected application does not properly sanitize path input in the `GET /api/sftp/uploadFiles` endpoint used for directory listing. This allows path traversal through crafted input, enabling…

  • CVE-2023-48430LowDec 12, 2023
    risk 0.18cvss 2.7epss 0.01

    A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 2). The REST API of affected devices does not check the length of parameters in certain conditions. This allows a malicious admin to crash the server by sending a crafted request to the API. The…

  • CVE-2023-48429LowDec 12, 2023
    risk 0.18cvss 2.7epss 0.01

    A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 2). The Web UI of affected devices does not check the length of parameters in certain conditions. This allows a malicious admin to crash the server by sending a crafted request to the server. The…