8

CVE-2022-33137

A vulnerability has been identified in SIMATIC MV540 H (All versions < V3.3), SIMATIC MV540 S (All versions < V3.3), SIMATIC MV550 H (All versions < V3.3), SIMATIC MV550 S (All versions < V3.3), SIMATIC MV560 U (All versions < V3.3), SIMATIC MV560 X (All versions < V3.3). The web session management of affected devices does not invalidate session ids in certain logout scenarios. This could allow an authenticated remote attacker to hijack other users' sessions.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SiemensSimatic Mv540 H Firmware Version < 3.3
   SiemensSimatic Mv540 H Version-
SiemensSimatic Mv540 S Firmware Version < 3.3
   SiemensSimatic Mv540 S Version-
SiemensSimatic Mv550 H Firmware Version < 3.3
   SiemensSimatic Mv550 H Version-
SiemensSimatic Mv550 S Firmware Version < 3.3
   SiemensSimatic Mv550 S Version-
SiemensSimatic Mv560 U Firmware Version < 3.3
   SiemensSimatic Mv560 U Version-
SiemensSimatic Mv560 X Firmware Version < 3.3
   SiemensSimatic Mv560 X Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.33% 0.551
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8 2.1 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov 6 6.8 6.4
AV:N/AC:M/Au:S/C:P/I:P/A:P
CWE-613 Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."