CVE-2022-25172 Information

Description

An information disclosure vulnerability exists in the web interface session cookie functionality of InHand Networks InRouter302 V3.5.4. The session cookie misses the HttpOnly flag making it accessible via JavaScript and thus allowing an attacker able to perform an XSS attack to steal the session cookie.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf https://talosintelligence.com/vulnerability_reports/TALOS-2022-1470

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1