PT-2023-12674 · Johnson Controls · Johnson Controls System Configuration Tool
Published
2023-02-09
·
Updated
2023-06-27
·
CVE-2022-21940
CVSS v3.1
7.5
High
| Vector | AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Johnson Controls System Configuration Tool (SCT) versions 14 prior to 14.2.3
Johnson Controls System Configuration Tool (SCT) versions 15 prior to 15.0.3
Description
The issue allows access to a sensitive cookie in an HTTPS session due to the lack of the 'Secure' attribute. This could potentially compromise the security of the session.
Recommendations
For versions 14 prior to 14.2.3, update to version 14.2.3 or later.
For versions 15 prior to 15.0.3, update to version 15.0.3 or later.
Fix
Missing Encryption of Sensitive Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Johnson Controls System Configuration Tool