CVE-2022-32777

2022-08-2219:15:10

CWE-732

[email protected]

web.nvd.nist.gov

cve-2022-32777

information disclosure

cookie functionality

wwbn avideo

vulnerability

javascript

httponly

secure flag

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.2 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

57.3%

JSON

An information disclosure vulnerability exists in the cookie functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. The session cookie and the pass cookie miss the HttpOnly flag, making them accessible via JavaScript. The session cookie also misses the secure flag, which allows the session cookie to be leaked over non-HTTPS connections. This could allow an attacker to steal the session cookie via crafted HTTP requests.This vulnerabilty is for the session cookie which can be leaked via JavaScript.

Affected configurations

Vulners

NVD

Node

wwbnavideoRange≤11.6

wwbnavideoRange≤dev master commit 3f7c0364

VendorProductVersionCPE
wwbnavideo*cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
wwbnavideo*cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
wwbn	avideo	*	cpe:2.3:a:wwbn:avideo::::::::
wwbn	avideo	*	cpe:2.3:a:wwbn:avideo::::::::

CNA Affected

[
  {
    "product": "AVideo",
    "vendor": "WWBN",
    "versions": [
      {
        "status": "affected",
        "version": "11.6"
      },
      {
        "status": "affected",
        "version": "dev master commit 3f7c0364"
      }
    ]
  }
]