CVE-2022-25151

EPSS 0.29%
Veröffentlicht 09.06.2022 17:15:08
Zuletzt bearbeitet 21.11.2024 06:51:42
Quelle csirt@divd.nl
CVE-Watchlists
Login
Unerledigt
Login

Within the Service Desk module of the ITarian platform (SAAS and on-premise), a remote attacker can obtain sensitive information, caused by the failure to set the HTTP Only flag. A remote attacker could exploit this vulnerability to gain access to the management interface by using this vulnerability in combination with a successful Cross-Site Scripting attack on a user.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Itarian ≫ On-premise Version < 6.35.37347.20040

Itarian ≫ Saas Service Desk Version < 6.35.37347.20040

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.29%	0.518

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N
csirt@divd.nl	7.5	1.6	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.

CWE-732 Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

https://csirt.divd.nl/CVE-2022-25151

Third Party Advisory

https://csirt.divd.nl/DIVD-2021-00037

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-25151

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-25151

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-25151

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-25151