QSearchQSearch

CVE-2021-40354

7.1 HIGH

A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.8), Teamcenter V13.0 (All versions < V13.0.0.7), Teamcent...

Published: 2021-09-14 · Last updated: 2026-06-17

Severity and scoring

CVSS
7.1 HIGH
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CWE
CWE-267, CWE-269

Affected products

VendorProduct
siemensteamcenter_visualization

Description

A vulnerability has been identified in Teamcenter V12.4 (All versions < V12.4.0.8), Teamcenter V13.0 (All versions < V13.0.0.7), Teamcenter V13.1 (All versions < V13.1.0.5), Teamcenter V13.2 (All versions < 13.2.0.2). The "surrogate" functionality on the user profile of the application does not perform sufficient access control that could lead to an account takeover. Any profile on the application can perform this attack and access any other user assigned tasks via the "inbox/surrogate tasks".

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-46749 A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6) (7.5 HIGH)
  • CVE-2026-46748 A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6) (8.8 HIGH)
  • CVE-2026-46747 A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6) (4.3 MEDIUM)
  • CVE-2026-46746 A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6) (8.8 HIGH)
  • CVE-2026-0257 Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker ... (9.1 CRITICAL)

Same CWE

  • CVE-2024-38487 api-gateway container running with root privilege would allow an attacker to escape the container and access host system to perform unint... (7.0 HIGH)
  • CVE-2026-12313 Information disclosure, sandbox escape in the Security: Process Sandboxing component (4.7 MEDIUM)
  • CVE-2026-12289 Privilege escalation in the Graphics: WebRender component (8.8 HIGH)
  • CVE-2026-8176 The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Adminis... (7.5 HIGH)
  • CVE-2025-9912 Nokia SR Linux is vulnerable to a local privilege escalation vulnerability (6.3 MEDIUM)