Session Fixation Vulnerability in Honeywell XL Web II Controller
CVE-2017-5141

6MEDIUM

Key Information:

Vendor: Honeywell
Status: Honeywell Xl Web Ii Controller
Vendor: CVE Published:; 13 February 2017

What is CVE-2017-5141?

A vulnerability in Honeywell's XL Web II controllers allows attackers to create new user sessions without invalidating existing session identifiers. This situation opens the door for session fixation attacks, where an attacker can hijack authenticated sessions to gain unauthorized access to critical information. Users of affected versions are encouraged to implement security measures to mitigate the risk posed by this vulnerability.

Affected Version(s)

Honeywell XL Web II Controller Honeywell XL Web II Controller

References

http://www.securityfocus.com/bid/95971

vdb-entryx_refsource_BID

https://ics-cert.us-cert.gov/advisories/ICSA-17-033-01

x_refsource_MISC

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 13, 2017
Vulnerability Reserved
Jan 3, 2017