Vulnerability Details CVE-2022-26157
An issue was discovered in the web application in Cherwell Service Management (CSM) 10.2.3. The ASP.NET_Sessionid cookie is not protected by the Secure flag. This makes it prone to interception by an attacker if traffic is sent over unencrypted channels.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 30.8%
CVSS Severity
CVSS v3 Score 5.3
CVSS v2 Score 5.0
References
- https://github.com/l00neyhacker/CVE-2022-26157
- https://help.cherwell.com/bundle/release_notes_10_4_help_only/page/content/release_notes/10_4_0_fix_list.html
- https://github.com/l00neyhacker/CVE-2022-26157
- https://help.cherwell.com/bundle/release_notes_10_4_help_only/page/content/release_notes/10_4_0_fix_list.html
Products affected by CVE-2022-26157
-
cpe:2.3:a:cherwell:cherwell_service_management:10.2.3