CVE-2020-25237

February 16, 2021

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP1 Update 1), SINEMA Server (All versions < V14.0 SP2 Update 2). When uploading files to an affected system using a zip container, the system does not correctly check if the relative file path of the extracted files is still within the intended target directory. With this an attacker could create or overwrite arbitrary files on an affected system. This type of vulnerability is also known as 'Zip-Slip'. (ZDI-CAN-12054)

Summary:

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP1 Update 1), SINEMA Server (All versions < V14.0 SP2 Update 2). When uploading files to an affected system using a zip container, the system does not correctly check if the relative file path of the extracted files is still within the intended target directory. With this an attacker could create or overwrite arbitrary files on an affected system. This type of vulnerability is also known as 'Zip-Slip'. (ZDI-CAN-12054)

Reference Links(if available):

  • https://cert-portal.siemens.com/productcert/pdf/ssa-156833.pdf
  • https://us-cert.cisa.gov/ics/advisories/icsa-21-040-03

  • CVSS Score (if available)

    v2: / MEDIUM

    v3: /

    Links to Exploits(if available)

  • Tags: , , , ,

    You may have missed

    ai checkout2

    Smart devices: new law helps citizens to choose secure products

    April 30, 2024
    CISA Logo

    CISA: CISA Releases Four Industrial Control Systems Advisories

    April 30, 2024
    CISA Logo

    CISA: CISA and Partners Release Advisory on Akira Ransomware

    April 30, 2024
    CISA Logo

    CISA: Oracle Releases Critical Patch Update Advisory for April 2024

    April 30, 2024
    CISA Logo

    CISA: Cisco Releases Security Advisories for Cisco Integrated Management Controller

    April 30, 2024