CVE-2024-41985

A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions >= V13.2 < V2506), SOA Audit (All versions >= V13.2 < V2506), SOA Cockpit (All versions >= V13.2 < V2506). The affected application does not expire the session without logout. This could allow an attacker to get unauthorized access if the session is left idle.

CVSS v3 2.6 LOW

2.6^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.2 / Impact : 1.4

Attack Vector ADJACENT_NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://cert-portal.siemens.com/productcert/html/ssa-382999.html	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:siemens:opcenter_quality:13.2:*:*:*:*:*:*:*

History

22 Oct 2025, 18:30

Type	Values Removed	Values Added
Summary		(es) Se ha identificado una vulnerabilidad en los módulos SmartClient Opcenter QL Home (SC) (todas las versiones >= V13.2 < V2506), SOA Audit (todas las versiones >= V13.2 < V2506) y SOA Cockpit (todas las versiones >= V13.2 < V2506). La aplicación afectada no expira la sesión sin cerrar sesión. Esto podría permitir que un atacante obtenga acceso no autorizado si la sesión permanece inactiva.
First Time		Siemens Siemens opcenter Quality
References	~~() https://cert-portal.siemens.com/productcert/html/ssa-382999.html -~~	() https://cert-portal.siemens.com/productcert/html/ssa-382999.html - Vendor Advisory
CPE		cpe:2.3:a:siemens:opcenter_quality:13.2:::::::*

12 Aug 2025, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-12 12:15

Updated : 2025-10-22 18:30

NVD link : CVE-2024-41985

Mitre link : CVE-2024-41985

CVE.ORG link : CVE-2024-41985

JSON object : View

Products Affected

siemens

opcenter_quality

CWE

CWE-613

Insufficient Session Expiration

{"id": "CVE-2024-41985", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "productcert@siemens.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.6, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.1}], "cvssMetricV40": [{"type": "Secondary", "source": "productcert@siemens.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.1, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-12T12:15:32.977", "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-382999.html", "tags": ["Vendor Advisory"], "source": "productcert@siemens.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "productcert@siemens.com", "description": [{"lang": "en", "value": "CWE-613"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions >= V13.2 < V2506), SOA Audit (All versions >= V13.2 < V2506), SOA Cockpit (All versions >= V13.2 < V2506). The affected application does not expire the session without logout. This could allow an attacker to get unauthorized access if the session is left idle."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en los m\u00f3dulos SmartClient Opcenter QL Home (SC) (todas las versiones >= V13.2 < V2506), SOA Audit (todas las versiones >= V13.2 < V2506) y SOA Cockpit (todas las versiones >= V13.2 < V2506). La aplicaci\u00f3n afectada no expira la sesi\u00f3n sin cerrar sesi\u00f3n. Esto podr\u00eda permitir que un atacante obtenga acceso no autorizado si la sesi\u00f3n permanece inactiva."}], "lastModified": "2025-10-22T18:30:52.250", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:siemens:opcenter_quality:13.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "238C890D-8EBF-4378-B887-89AED294F983"}], "operator": "OR"}]}], "sourceIdentifier": "productcert@siemens.com"}