CVE-2022-21940
EUVD-2022-2709609.02.2023, 21:15
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| johnsoncontrols | metasys_system_configuration_tool | 14.0 ≤ 𝑥 < 14.2.3 |
| johnsoncontrols | metasys_system_configuration_tool | 15.0 ≤ 𝑥 < 15.0.3 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' AttributeThe Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.
- CWE-311 - Missing Encryption of Sensitive DataThe software does not encrypt sensitive or critical information before storage or transmission.