CVE-2022-25151
09.06.2022, 17:15
Within the Service Desk module of the ITarian platform (SAAS and on-premise), a remote attacker can obtain sensitive information, caused by the failure to set the HTTP Only flag. A remote attacker could exploit this vulnerability to gain access to the management interface by using this vulnerability in combination with a successful Cross-Site Scripting attack on a user.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| itarian | on-premise | 𝑥 < 6.35.37347.20040 |
| itarian | saas_service_desk | 𝑥 < 6.35.37347.20040 |
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| itarian | on-premise | 𝑥 < 6.35.37347.20040 | ADP |
| itarian | saas_service_desk | 𝑥 < 6.35.37347.20040 | ADP |
Common Weakness Enumeration
- CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' AttributeThe Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.
- CWE-732 - Incorrect Permission Assignment for Critical ResourceThe product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.