We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2016-10041



Assignermitre
Reserved2016-12-25
Published2016-12-25
Updated2024-08-06

Description

An issue was discovered in Sprecher Automation SPRECON-E Service Program before 3.43 SP0. Under certain preconditions, it is possible to execute telegram simulation as a non-admin user. As prerequisites, a user must have created an online-connection, validly authenticated and authorized as administrator, and executed telegram simulation. After that, the online-connection must have been closed. Incorrect caching of client data then may lead to privilege escalation, where a subsequently acting non-admin user is permitted to do telegram simulation. In order to exploit this vulnerability, a potential attacker would need to have both a valid engineering-account in the SPRECON RBAC system as well as access to a service/maintenance computer with SPRECON-E Service Program running. Additionally, a valid admin-user must have closed the service connection beforehand without closing the program, having executed telegram simulation; the attacker then has access to the running software instance. Hence, there is no risk from external attackers.

References

http://www.securityfocus.com/bid/95296 (95296) vdb-entry

https://www.sprecher-automation.com/en/it-security/

cve.org CVE-2016-10041

nvd.nist.gov CVE-2016-10041

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2016-10041?utm_source=feedly
Subscribe to our newsletter to learn more about our work.