7.5
CVE-2022-21939
- EPSS 0.22%
- Veröffentlicht 09.02.2023 21:15:11
- Zuletzt bearbeitet 21.11.2024 06:45:44
- Quelle productsecurity@jci.com
- CVE-Watchlists
- Unerledigt
LoginSensitive Cookie Without 'HttpOnly' Flag vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Johnsoncontrols ≫ Metasys System Configuration Tool Version >= 14.0 < 14.2.3
Johnsoncontrols ≫ Metasys System Configuration Tool Version >= 15.0 < 15.0.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.22% | 0.446 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| productsecurity@jci.com | 7.5 | 1.6 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
|
CWE-1004 Sensitive Cookie Without 'HttpOnly' Flag
The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
CWE-732 Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.