CVE-2022-32778

EPSS 1.07%
Veröffentlicht 22.08.2022 19:15:10
Zuletzt bearbeitet 21.11.2024 07:06:56
Quelle talos-cna@cisco.com
Teams Watchlist Login
Unerledigt Login

An information disclosure vulnerability exists in the cookie functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. The session cookie and the pass cookie miss the HttpOnly flag, making them accessible via JavaScript. The session cookie also misses the secure flag, which allows the session cookie to be leaked over non-HTTPS connections. This could allow an attacker to steal the session cookie via crafted HTTP requests.This vulnerability is for the pass cookie, which contains the hashed password and can be leaked via JavaScript.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Wwbn ≫ Avideo Version11.6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.07%	0.768

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
talos-cna@cisco.com	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-732 Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

https://github.com/WWBN/AVideo/blob/e04b1cd7062e16564157a82bae389eedd39fa088/updatedb/updateDb.v12.0.sql

Third Party Advisory

https://talosintelligence.com/vulnerability_reports/TALOS-2022-1542

Third Party Advisory

Technical Description

https://nvd.nist.gov/vuln/detail/CVE-2022-32778

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-32778

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-32778

EUVD