Vulnerability Description
The HttpOnly flag is set to false on the PHPSESSION cookie. Therefore, the cookie can be accessed by other sources such as JavaScript.
CVSS Score
5.3
MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Endress | Meac300-Fnade4 Firmware | <= 0.16.0 |
| Endress | Meac300-Fnade4 | - |
Related Weaknesses (CWE)
References
- https://sick.com/psirtVendor Advisory
- https://sick.com/psirtVendor Advisory
- https://www.cisa.gov/resources-tools/resources/ics-recommended-practicesUS Government Resource
- https://www.endress.comProduct
- https://www.first.org/cvss/calculator/3.1Not Applicable
- https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.jsonVendor Advisory
- https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.pdfVendor Advisory
FAQ
What is CVE-2025-27453?
CVE-2025-27453 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The HttpOnly flag is set to false on the PHPSESSION cookie. Therefore, the cookie can be accessed by other sources such as JavaScript.
How severe is CVE-2025-27453?
CVE-2025-27453 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-27453?
Check the references section above for vendor advisories and patch information. Affected products include: Endress Meac300-Fnade4 Firmware, Endress Meac300-Fnade4.