CVE-2022-24045
moderate-risk
Published 2022-05-20
A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The application, after a successful login, sets the session cookie on the browser via client-side JavaScript code, without applying any security attributes (such as “Secure”, “HttpOnly”, or “SameSite”). Any attempts to browse the application via unencrypted HTTP protocol would lead to the transmission of all his/her session cookies in plaintext through the network. An attacker could then be able to sniff the network and capture sensitive information.
Do I need to act?
-
0.94% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.5/10
Medium
NETWORK
/ LOW complexity
Affected Products (4)
Desigo Dxr2 Firmware
Desigo Pxc3 Firmware
Desigo Pxc4 Firmware
Desigo Pxc5 Firmware
Affected Vendors
References (2)
Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-626968.pdf
Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-626968.pdf
37
/ 100
moderate-risk
Severity
24/34 · High
Exploitability
3/34 · Minimal
Exposure
10/34 · Low