Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-24045

A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The application, after a successful login, sets the session cookie on the browser via client-side JavaScript code, without applying any security attributes (such as “Secure”, “HttpOnly”, or “SameSite”). Any attempts to browse the application via unencrypted HTTP protocol would lead to the transmission of all his/her session cookies in plaintext through the network. An attacker could then be able to sniff the network and capture sensitive information.

Published

2022-05-20T13:15:14.600

Last Modified

2024-11-21T06:49:43.390

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

8.0

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-614
Type: Primary
CWE-311
NVD-CWE-Other

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	siemens	desigo_dxr2_firmware	< 01.21.142.5-22	Yes
Hardware	siemens	desigo_dxr2	-	No
Operating System	siemens	desigo_pxc3_firmware	< 01.21.142.4-18	Yes
Hardware	siemens	desigo_pxc3	-	No
Operating System	siemens	desigo_pxc4_firmware	< 02.20.142.10-10884	Yes
Hardware	siemens	desigo_pxc4	-	No
Operating System	siemens	desigo_pxc5_firmware	< 02.20.142.10-10884	Yes
Hardware	siemens	desigo_pxc5	-	No

References

https://cert-portal.siemens.com/productcert/pdf/ssa-626968.pdf Vendor Advisory ([email protected])
https://cert-portal.siemens.com/productcert/pdf/ssa-626968.pdf Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)