Multiple Vulnerabilities in SINEC NMS before V2.0

An attacker with local access to a SINEC NMS workstation could inject code or malicious scripts that execute with the NMS application's privileges, potentially allowing them to manipulate network management functions, access sensitive configuration data, or alter monitoring of industrial devices across your network.

Network and systems engineers who operate SINEC NMS in industrial plants, particularly those managing Siemens industrial control systems and network-connected devices. This affects network management workstations that run SINEC NMS for monitoring and configuring distributed industrial networks.

An authenticated user with local access to a SINEC NMS workstation could submit malicious input through the application interface to trigger code injection or stored XSS. The injected code would execute in the context of the NMS application, allowing the attacker to perform actions as that application user.