CVE-2021-42115
EUVD-2021-2910030.11.2021, 12:15
Missing HTTPOnly flag in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an unauthenticated remote attacker to escalate privileges from unauthenticated to authenticated user via stealing and injecting the session- independent and static cookie UID.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| businessdnasolutions | topease | 𝑥 ≤ 7.1.27 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-1004 - Sensitive Cookie Without 'HttpOnly' FlagThe software uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
- CWE-732 - Incorrect Permission Assignment for Critical ResourceThe product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.