Session Cookie Vulnerability in POWER METER SICAM Q200 by Siemens
CVE-2022-43398

7.5HIGH

Key Information:

Vendor: Siemens
Status: Power Meter Sicam Q100
Vendor: CVE Published:; 8 November 2022

Summary

A vulnerability has been identified in the POWER METER SICAM Q200 family, where the devices fail to renew session cookies after user login/logout events and allow the acceptance of user-defined session cookies. This flaw enables an attacker to overwrite a legitimate user's session cookie, granting unauthorized access to the victim's account once they have logged in. The security implication of this vulnerability reflects a significant risk, as it could permit attackers to manipulate user sessions and potentially compromise sensitive information.

Affected Version(s)

POWER METER SICAM Q100 All versions < V2.50

References

https://cert-portal.siemens.com/productcert/pdf/ssa-57029...

https://cert-portal.siemens.com/productcert/pdf/ssa-88724...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Nov 8, 2022
Vulnerability Reserved
Oct 18, 2022