← back
CVE-2025-27453

CVE-2025-27453

CVSS 5.3 MEDIUMEPSS 0.4%CWE-1004
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.3EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch referenciado
Lifecycle
03 Jul 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
In short

A website's session cookie is not protected from JavaScript access, allowing scripts to steal your login information. This means malicious code on the page could capture your session and impersonate you.

Technical detail

The PHPSESSION cookie lacks the HttpOnly flag, enabling client-side script access via DOM APIs. An attacker can exploit this through XSS vulnerabilities or malicious JavaScript to exfiltrate session tokens and hijack authenticated user sessions.

Summary generated and translated by AI from the official description.
The HttpOnly flag is set to false on the PHPSESSION cookie. Therefore, the cookie can be accessed by other sources such as JavaScript.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Affected products
Endress+Hauser · Endress+Hauser MEAC300-FNADE4

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://sick.com/psirthttps://www.cisa.gov/resources-tools/resources/ics-recommended-practiceshttps://www.endress.comhttps://www.first.org/cvss/calculator/3.1https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.jsonhttps://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.pdf