CVE-2022-21939
EUVD-2022-2709509.02.2023, 21:15
Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| johnsoncontrols | metasys_system_configuration_tool | 14.0 ≤ 𝑥 < 14.2.3 |
| johnsoncontrols | metasys_system_configuration_tool | 15.0 ≤ 𝑥 < 15.0.3 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-1004 - Sensitive Cookie Without 'HttpOnly' FlagThe software uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
- CWE-732 - Incorrect Permission Assignment for Critical ResourceThe product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.