CVE-2018-4847

EPSS 0.03%
Published 23.04.2018 16:29:00
Last modified 21.11.2024 04:07:34
Source productcert@siemens.com
Teams watchlist Login
Open Login

A vulnerability has been identified in SIMATIC WinCC OA Operator iOS App (All versions < V1.4). Insufficient protection of sensitive information (e.g. session key for accessing server) in Siemens WinCC OA Operator iOS app could allow an attacker with physical access to the mobile device to read unencrypted data from the app's directory. Siemens provides mitigations to resolve the security issue.

Affected products Warnungen 0 Metrics 3 CWE 2 References 5

Data is provided by the National Vulnerability Database (NVD)

Siemens ≫ Simatic Wincc Oa Operator Version- SwPlatformiphone_os

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.03%	0.085

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.6	0.9	3.6	CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	2.1	3.9	2.9	AV:L/AC:L/Au:N/C:P/I:N/A:N

CWE-311 Missing Encryption of Sensitive Data

The product does not encrypt sensitive or critical information before storage or transmission.

CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory

The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.

http://www.securityfocus.com/bid/103941

Third Party Advisory

VDB Entry

https://cert-portal.siemens.com/productcert/pdf/ssa-597741.pdf

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2018-4847

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-4847

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-4847

EUVD