CVE-2022-24045

Name of the Vulnerable Software and Affected Versions Desigo DXR2 versions prior to V01.21.142.5-22 Desigo PXC3 versions prior to V01.21.142.4-18 Desigo PXC4 versions prior to V02.20.142.10-10884 Desigo PXC5 versions prior to V02.20.142.10-10884

Description The issue is related to the application setting session cookies on the browser via client-side JavaScript code without applying security attributes such as Secure, HttpOnly, or SameSite. This allows an attacker to capture sensitive information by sniffing the network when a user browses the application via unencrypted HTTP protocol. The vulnerability can be exploited remotely, enabling an attacker to gain unauthorized access to protected information by intercepting session cookies.

Recommendations For Desigo DXR2 versions prior to V01.21.142.5-22, update to version V01.21.142.5-22 or later to resolve the issue. For Desigo PXC3 versions prior to V01.21.142.4-18, update to version V01.21.142.4-18 or later to resolve the issue. For Desigo PXC4 versions prior to V02.20.142.10-10884, update to version V02.20.142.10-10884 or later to resolve the issue. For Desigo PXC5 versions prior to V02.20.142.10-10884, update to version V02.20.142.10-10884 or later to resolve the issue. As a temporary workaround, consider using encrypted HTTPS protocol for browsing the application to minimize the risk of session cookie interception.