QwikSec

Security Database

CVE

CWE

Training

CVE-2020-25237

Published: Feb 9, 2021

Modified: Aug 4, 2024

PUBLISHED

Description

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP1 Update 1), SINEMA Server (All versions < V14.0 SP2 Update 2). When uploading files to an affected system using a zip container, the system does not correctly check if the relative file path of the extracted files is still within the intended target directory. With this an attacker could create or overwrite arbitrary files on an affected system. This type of vulnerability is also known as 'Zip-Slip'. (ZDI-CAN-12054)

Vendor	Product	Versions
Siemens	SINEC NMS	affected `All versions < V1.0 SP1 Update 1`
Siemens	SINEMA Server	affected `All versions < V14.0 SP2 Update 2`

Weaknesses (CWE)

References

https://cert-portal.siemens.com/productcert/pdf/ssa-156833.pdf

x_refsource_MISC

https://us-cert.cisa.gov/ics/advisories/icsa-21-040-03

x_refsource_MISC

https://www.zerodayinitiative.com/advisories/ZDI-21-253/

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.