CVE-2021-42115

moderate-risk
Published 2021-11-30

Missing HTTPOnly flag in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an unauthenticated remote attacker to escalate privileges from unauthenticated to authenticated user via stealing and injecting the session- independent and static cookie UID.

Do I need to act?

-
0.57% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.1/10 High
NETWORK / LOW complexity

Affected Products (1)

Topease

Affected Vendors

Businessdnasolutions

References (2)

Release Notes https://confluence.topease.ch/confluence/display/DOC/Release+Notes
Release Notes https://confluence.topease.ch/confluence/display/DOC/Release+Notes
35
/ 100
moderate-risk
Severity 28/34 · Critical
Exploitability 2/34 · Minimal
Exposure 5/34 · Minimal