CVE-2024-46892

Name of the Vulnerable Software and Affected Versions SINEC INS versions prior to V1.0 SP2 Update 3

Description A vulnerability has been identified in the affected application where it does not properly invalidate sessions when the associated user is deleted, disabled, or their permissions are modified. This could allow an authenticated attacker to continue performing malicious actions even after their user account has been disabled. The issue is related to the incorrect session validity period, which may enable a remote attacker to maintain a session after the user account has been deleted.

Recommendations For versions prior to V1.0 SP2 Update 3, update to V1.0 SP2 Update 3 or later to resolve the issue. As a temporary workaround, consider manually invalidating sessions for deleted, disabled, or permission-modified users until a patch is applied. Restrict access to sensitive areas of the application to minimize the risk of exploitation.