CVE-2024-46888

Name of the Vulnerable Software and Affected Versions SINEC INS versions prior to V1.0 SP2 Update 3

Description A vulnerability has been identified in the affected application, which does not properly sanitize user-provided paths for SFTP-based file up- and downloads. This could allow an authenticated remote attacker to manipulate arbitrary files on the filesystem and achieve arbitrary code execution on the device. The issue is related to errors in cleaning up paths for file uploads.

Recommendations For versions prior to V1.0 SP2 Update 3, update to V1.0 SP2 Update 3 or later to resolve the issue. As a temporary workaround, consider restricting access to SFTP-based file up- and downloads until a patch is available. Avoid using user-provided paths for SFTP-based file up- and downloads in the affected application until the issue is resolved.