PT-2022-20940 · Nortek Linear · Nortek Linear Emerge E3-Series
Omarhashem123
·
Published
2022-08-25
·
Updated
2023-08-08
·
CVE-2022-31798
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Nortek Linear eMerge E3-Series version 0.32-07p
Description
The issue allows an attacker to take over an admin account or a user account through a combination of XSS and session fixation via the
PHPSESSID when devices are chained together. This is exploited through the "/card scan.php?CardFormatNo=" endpoint, allowing for session fixation.Recommendations
For Nortek Linear eMerge E3-Series version 0.32-07p, consider disabling access to the "/card scan.php?CardFormatNo=" endpoint until a patch is available to prevent XSS and session fixation attacks. Additionally, restrict the use of the
PHPSESSID to minimize the risk of session fixation.Fix
Session Fixation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nortek Linear Emerge E3-Series