CVE-2022-21940

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.
References
Link Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-03 Third Party Advisory US Government Resource VDB Entry
https://www.johnsoncontrols.com/cyber-solutions/security-advisories Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:johnsoncontrols:metasys_system_configuration_tool:*:*:*:*:*:*:*:*
cpe:2.3:a:johnsoncontrols:metasys_system_configuration_tool:*:*:*:*:*:*:*:*

History

27 Jun 2023, 18:19

Type Values Removed Values Added
CWE CWE-79 CWE-311

17 Feb 2023, 16:35

Type Values Removed Values Added
New CVE

Information

Published : 2023-02-09 21:15

Updated : 2024-02-04 23:14


NVD link : CVE-2022-21940

Mitre link : CVE-2022-21940

CVE.ORG link : CVE-2022-21940


JSON object : View

Products Affected

johnsoncontrols

  • metasys_system_configuration_tool
CWE
CWE-311

Missing Encryption of Sensitive Data

CWE-614

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute