Square Enix · Final Fantasy Xiv · CVE-2018-7295
**Name of the Vulnerable Software and Affected Versions**
Square Enix Final Fantasy XIV versions 4.21 through 4.25
**Description**
The issue arises from improper enforcement of message integrity during transmission in a communication channel. This allows a man-in-the-middle attacker to steal user credentials. The problem occurs because a session retrieves global.js via http before proceeding to use https.
**Recommendations**
For versions 4.21 through 4.25, update to Patch 4.3 to resolve the issue. As a temporary workaround, consider restricting access to unsecured http connections to minimize the risk of exploitation.