9.8
CVE-2022-40630
- EPSS 0.45%
- Veröffentlicht 23.09.2022 19:15:15
- Zuletzt bearbeitet 21.11.2024 07:21:44
- Quelle vdisclose@cert-in.org.in
- CVE-Watchlists
- Unerledigt
LoginThis vulnerability exists in Tacitine Firewall, all versions of EN6200-PRIME QUAD-35 and EN6200-PRIME QUAD-100 between 19.1.1 to 22.20.1 (inclusive), due to improper session management in the Tacitine Firewall web-based management interface. An unauthenticated remote attacker could exploit this vulnerability by sending a specially crafted http request on the targeted device. Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to perform session fixation on the targeted device.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Tacitine ≫ En6200-prime Quad-35 Firmware Version >= 19.1.1 < 22.21.2
Tacitine ≫ En6200-prime Quad-100 Firmware Version >= 19.1.1 < 22.21.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.45% | 0.628 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| vdisclose@cert-in.org.in | 6.5 | 3.9 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
|
CWE-384 Session Fixation
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.