CVE-2022-43398

Published: Nov 8, 2022Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

A vulnerability has been identified in POWER METER SICAM Q100 (All versions < V2.50), POWER METER SICAM Q100 (All versions < V2.50), POWER METER SICAM Q100 (All versions < V2.50), POWER METER SICAM Q100 (All versions < V2.50). Affected devices do not renew the session cookie after login/logout and also accept user defined session cookies. An attacker could overwrite the stored session cookie of a user. After the victim logged in, the attacker is given access to the user's account through the activated session.

Affected (2)

Products: Siemens: 7kg9501 0aa01 2aa1 Firmware, 7kg9501 0aa31 2aa1 Firmware

2 products

7kg9501 0aa01 2aa1 Firmware

7kg9501 0aa31 2aa1 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Siemens 7kg9501 0aa01 2aa1 Firmware	Before 2.50

Running on/with	Platform Versions
Siemens 7kg9501 0aa01 2aa1	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Siemens 7kg9501 0aa31 2aa1 Firmware	Before 2.50

Running on/with	Platform Versions
Siemens 7kg9501 0aa31 2aa1	All versions

Related CWEs

Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

References (4)

https://cert-portal.siemens.com/productcert/pdf/ssa-570294.pdf

Source: productcert@siemens.com

MitigationPatchVendor Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-887249.pdf

Source: productcert@siemens.com

https://cert-portal.siemens.com/productcert/pdf/ssa-570294.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationPatchVendor Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-887249.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.