Sensitive cookie without 'HttpOnly' flag in System Configuration Tool (SCT)
CVE-2022-21939

7.5HIGH

Key Information:

Vendor

Johnson Controls

Status
System Configuration Tool (sct)
Vendor
CVE Published:
9 February 2023

What is CVE-2022-21939?

A vulnerability exists in the Johnson Controls System Configuration Tool (SCT) that allows sensitive cookies to be accessed due to the absence of the 'HttpOnly' flag. This exposure can lead to unauthorized access and potential exploitation of user sessions. It impacts versions 14 prior to 14.2.3 and version 15 prior to 15.0.3. Users are encouraged to review the security advisories for mitigation strategies.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

System Configuration Tool (SCT) 14 < 14.2.3

System Configuration Tool (SCT) 15 < 15.0.3

References

https://www.johnsoncontrols.com/cyber-solutions/security-...
https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-03

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.