PT-2022-17700 · Cherwell · Cherwell Service Management
L00Neyhacker
·
Published
2022-02-28
·
Updated
2023-08-08
·
CVE-2022-26157
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Cherwell Service Management version 10.2.3
Description
An issue was discovered in the web application where the
ASP.NET Sessionid cookie is not protected by the Secure flag, making it prone to interception by an attacker if traffic is sent over unencrypted channels.Recommendations
For Cherwell Service Management version 10.2.3, consider configuring the web application to protect the
ASP.NET Sessionid cookie with the Secure flag to prevent interception over unencrypted channels. As a temporary workaround, restrict access to unencrypted channels to minimize the risk of exploitation.Exploit
Fix
Missing Encryption of Sensitive Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cherwell Service Management