8.8
CVE-2022-22551
- EPSS 0.39%
- Veröffentlicht 21.01.2022 21:15:09
- Zuletzt bearbeitet 21.11.2024 06:47:00
- Quelle security_alert@emc.com
- CVE-Watchlists
- Unerledigt
DELL EMC AppSync versions 3.9 to 4.3 use GET request method with sensitive query strings. An Adjacent, unauthenticated attacker could potentially exploit this vulnerability, and hijack the victim session.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Dell ≫ Emc Appsync Version < 4.4.0.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.39% | 0.304 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 5.8 | 6.5 | 6.4 |
AV:A/AC:L/Au:N/C:P/I:P/A:P
|
| security_alert@emc.com | 8.3 | 2.8 | 5.5 |
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
|
CWE-384 Session Fixation
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
CWE-598 Use of HTTP Request With Sensitive Query String
The web application uses an HTTP method to process a request, but the request includes sensitive information in the query string.
https://www.dell.com/support/kbdoc/000195377