Vulnerability Description
An information disclosure vulnerability exists in the web interface session cookie functionality of InHand Networks InRouter302 V3.5.4. The session cookie misses the HttpOnly flag, making it accessible via JavaScript and thus allowing an attacker, able to perform an XSS attack, to steal the session cookie.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Inhandnetworks | Ir302 Firmware | <= 3.5.4 |
| Inhandnetworks | Ir302 | - |
Related Weaknesses (CWE)
References
- https://talosintelligence.com/vulnerability_reports/TALOS-2022-1470ExploitTechnical DescriptionThird Party Advisory
- https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdVendor Advisory
- https://talosintelligence.com/vulnerability_reports/TALOS-2022-1470ExploitTechnical DescriptionThird Party Advisory
- https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdVendor Advisory
FAQ
What is CVE-2022-25172?
CVE-2022-25172 is a vulnerability with a CVSS score of 6.1 (MEDIUM). An information disclosure vulnerability exists in the web interface session cookie functionality of InHand Networks InRouter302 V3.5.4. The session cookie misses the HttpOnly flag, making it accessibl...
How severe is CVE-2022-25172?
CVE-2022-25172 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-25172?
Check the references section above for vendor advisories and patch information. Affected products include: Inhandnetworks Ir302 Firmware, Inhandnetworks Ir302.