Vulnerability Description
Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Johnsoncontrols | Metasys System Configuration Tool | >= 14.0, < 14.2.3 |
Related Weaknesses (CWE)
References
- https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-03Third Party AdvisoryUS Government ResourceVDB Entry
- https://www.johnsoncontrols.com/cyber-solutions/security-advisoriesVendor Advisory
- https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-03Third Party AdvisoryUS Government ResourceVDB Entry
- https://www.johnsoncontrols.com/cyber-solutions/security-advisoriesVendor Advisory
FAQ
What is CVE-2022-21939?
CVE-2022-21939 is a vulnerability with a CVSS score of 7.5 (HIGH). Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.
How severe is CVE-2022-21939?
CVE-2022-21939 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-21939?
Check the references section above for vendor advisories and patch information. Affected products include: Johnsoncontrols Metasys System Configuration Tool.