CVE-2021-42115 – Missing HTTPOnly flag on sensitive cookie in TopEase
https://notcve.org/view.php?id=CVE-2021-42115
Missing HTTPOnly flag in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an unauthenticated remote attacker to escalate privileges from unauthenticated to authenticated user via stealing and injecting the session- independent and static cookie UID. La falta del flag HTTPOnly en las aplicaciones web que operan en la plataforma TopEase® de Business-DNA Solutions GmbH, versiones anteriores a 7.1.27 incluyéndola, permite a un atacante remoto no autenticado escalar los privilegios de un usuario no autenticado a uno autenticado por medio del robo y la inyección del UID de la cookie estática e independiente de la sesión • https://confluence.topease.ch/confluence/display/DOC/Release+Notes • CWE-732: Incorrect Permission Assignment for Critical Resource CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag •