← back
CVE-2022-25172

CVE-2022-25172

CVSS 7.5 HIGHEPSS 0.9%CWE-1004
In short

The InRouter302 web interface stores session cookies without the HttpOnly protection flag, allowing attackers to steal these cookies through JavaScript-based attacks. This enables unauthorized access to user accounts if an attacker can inject malicious scripts.

Technical detail

A missing HttpOnly flag on session cookies in InRouter302 V3.5.4 web interface allows cross-site scripting (XSS) attacks to access and exfiltrate session tokens via JavaScript. The vulnerability requires a prior XSS vector but enables complete session hijacking, leading to authentication bypass and administrative access compromise.

Summary generated and translated by AI from the official description.
An information disclosure vulnerability exists in the web interface session cookie functionality of InHand Networks InRouter302 V3.5.4. The session cookie misses the HttpOnly flag, making it accessible via JavaScript and thus allowing an attacker, able to perform an XSS attack, to steal the session cookie.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
InHand Networks · InRouter302

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1470https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf