CVE-2022-21939

Published: Feb 9, 2023Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.

Affected (2)

Products: Johnsoncontrols: Metasys System Configuration Tool

Johnsoncontrols

1 product

Metasys System Configuration Tool

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Johnsoncontrols Metasys System Configuration Tool	From 14.0 to 14.2.3
Johnsoncontrols Metasys System Configuration Tool	From 15.0 to 15.0.3

Related CWEs

CWE-1004

Sensitive Cookie Without 'HttpOnly' Flag

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

CWE-732

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References (4)

https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-03

Source: productsecurity@jci.com

Third Party AdvisoryUS Government ResourceVDB Entry

https://www.johnsoncontrols.com/cyber-solutions/security-advisories

Source: productsecurity@jci.com

Vendor Advisory

https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-03

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government ResourceVDB Entry

https://www.johnsoncontrols.com/cyber-solutions/security-advisories

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.