Vulnerability Details : CVE-2022-26157
An issue was discovered in the web application in Cherwell Service Management (CSM) 10.2.3. The ASP.NET_Sessionid cookie is not protected by the Secure flag. This makes it prone to interception by an attacker if traffic is sent over unencrypted channels.
Exploit prediction scoring system (EPSS) score for CVE-2022-26157
Probability of exploitation activity in the next 30 days: 0.08%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 32 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2022-26157
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST |
|
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2022-26157
-
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-26157
-
https://help.cherwell.com/bundle/release_notes_10_4_help_only/page/content/release_notes/10_4_0_fix_list.html
CSM 10.4.0 Fixes ListRelease Notes;Vendor Advisory
-
https://github.com/l00neyhacker/CVE-2022-26157
GitHub - l00neyhacker/CVE-2022-26157Third Party Advisory
Products affected by CVE-2022-26157
- cpe:2.3:a:cherwell:cherwell_service_management:10.2.3:*:*:*:*:*:*:*