CVE-2022-2997 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
@huntrdev	CNA	4.6 MEDIUM	NETWORK	LOW	LOW	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 57%

Affected Products (NVD)

Vendor	Product	Version
snipeitapp	snipe-it	𝑥 < 6.0.10

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-384 - Session Fixation
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

References

https://github.com/snipe/snipe-it/commit/6fde72a69335c80079363b7d26aa94e7f67400e1

https://huntr.dev/bounties/c09bf21b-50d2-49f0-8c92-49f6b3c358d8

https://github.com/snipe/snipe-it/commit/6fde72a69335c80079363b7d26aa94e7f67400e1

https://huntr.dev/bounties/c09bf21b-50d2-49f0-8c92-49f6b3c358d8