CVE-2022-25172

HIGH Year: 2022
CVSS v3 Score
7.5
High
CVSS v2 Score
4.3
Medium
Weakness Type
CWE-1004
View all →

Vulnerability Description

An information disclosure vulnerability exists in the web interface session cookie functionality of InHand Networks InRouter302 V3.5.4. The session cookie misses the HttpOnly flag, making it accessible via JavaScript and thus allowing an attacker, able to perform an XSS attack, to steal the session cookie.

Related Vulnerabilities

CVE-2022-33167

HIGH
CVSS:7.5(High)

IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly fla...

CWE-10042022

CVE-2022-43845

HIGH
CVSS:7.5(High)

IBM Aspera Console 3.4.0 through 3.4.4 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability...

CWE-10042022

CVE-2024-41685

MEDIUM
CVSS:7.5(High)

This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing HTTPOnly flag for the session cookies associated with the router's web management interface. An attacker with remote acce...

CWE-10042024

CVE-2021-3706

HIGH
CVSS:7.4(High)

adminlte is vulnerable to Sensitive Cookie Without 'HttpOnly' Flag

CWE-10042021

CVE-2025-24318

MEDIUM
CVSS:6.8(Medium)

Cookie policy is observable via built-in browser tools. In the presence of XSS, this could lead to full session compromise.

CWE-10042025

CVE-2019-8283

MEDIUM
CVSS:6.5(Medium)

Hasplm cookie in Gemalto Admin Control Center, all versions prior to 7.92, does not have 'HttpOnly' flag. This allows malicious javascript to steal it.

CWE-10042019