Описание
SolarWinds N-Central version 12.3 GA and lower does not set the JSESSIONID attribute to HTTPOnly. This makes it possible to influence the cookie with javascript. An attacker could send the user to a prepared webpage or by influencing JavaScript to the extract the JESSIONID. This could then be forwarded to the attacker.
Ссылки
- Third Party Advisory
- Product
- Third Party Advisory
- Product
Уязвимые конфигурации
Конфигурация 1Версия до 12.3 (включая)
cpe:2.3:a:solarwinds:n-central:*:*:*:*:general_availability:*:*:*
EPSS
Процентиль: 58%
0.00358
Низкий
4.7 Medium
CVSS3
4.3 Medium
CVSS2
Дефекты
CWE-732
Связанные уязвимости
github
больше 3 лет назад
SolarWinds N-Central version 12.3 GA and lower does not set the JSESSIONID attribute to HTTPOnly. This makes it possible to influence the cookie with javascript. An attacker could send the user to a prepared webpage or by influencing JavaScript to the extract the JESSIONID. This could then be forwarded to the attacker.
EPSS
Процентиль: 58%
0.00358
Низкий
4.7 Medium
CVSS3
4.3 Medium
CVSS2
Дефекты
CWE-732