Incorrect Permission Assignment for Critical Resource
CVE-2022-32777
Summary
An information disclosure vulnerability exists in the cookie functionality of WWBN AVideo in versions prior to 12.4. The session cookie and the pass cookie miss the "HttpOnly" flag, making them accessible via JavaScript. The session cookie also misses the secure flag, which allows the session cookie to be leaked over non-HTTPS connections. This could allow an attacker to steal the session cookie via crafted HTTP requests. This vulnerability is for the session cookie which can be leaked via JavaScript.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- HIGH
- NONE
CWE-732 - Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
References
Advisory Timeline
- Published