Vulnerability Details CVE-2025-27223
TRUfusion Enterprise through 7.10.4.0 exposes the encrypted COOKIEID as an authentication mechanism for some endpoints such as /trufusionPortal/getProjectList. However, the application uses a static key to create the encrypted cookie, ultimately allowing anyone to forge cookies and gain access to sensitive internal information.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.021
EPSS Ranking 79.5%
CVSS Severity
CVSS v3 Score 7.5
Products affected by CVE-2025-27223
-
cpe:2.3:a:rocketsoftware:trufusion_enterprise:-
-
cpe:2.3:a:rocketsoftware:trufusion_enterprise:7.10.0.0
-
cpe:2.3:a:rocketsoftware:trufusion_enterprise:7.10.0.1
-
cpe:2.3:a:rocketsoftware:trufusion_enterprise:7.10.1.0
-
cpe:2.3:a:rocketsoftware:trufusion_enterprise:7.10.1.1
-
cpe:2.3:a:rocketsoftware:trufusion_enterprise:7.10.2.0
-
cpe:2.3:a:rocketsoftware:trufusion_enterprise:7.10.3.0
-
cpe:2.3:a:rocketsoftware:trufusion_enterprise:7.10.3.1
-
cpe:2.3:a:rocketsoftware:trufusion_enterprise:7.10.4.0
-
cpe:2.3:a:rocketsoftware:trufusion_enterprise:7.9.3.0
-
cpe:2.3:a:rocketsoftware:trufusion_enterprise:7.9.3.1
-
cpe:2.3:a:rocketsoftware:trufusion_enterprise:7.9.4.0
-
cpe:2.3:a:rocketsoftware:trufusion_enterprise:7.9.4.1
-
cpe:2.3:a:rocketsoftware:trufusion_enterprise:7.9.5.0
-
cpe:2.3:a:rocketsoftware:trufusion_enterprise:7.9.5.1
-
cpe:2.3:a:rocketsoftware:trufusion_enterprise:7.9.6.0
-
cpe:2.3:a:rocketsoftware:trufusion_enterprise:7.9.6.1