CVE-2024-41685

Cookie Without HTTPOnly Flag Set Vulnerability

CVSS 6.9 MEDIUMEPSS 0.5%CWE-1004

In short

The router's login cookies lack the HTTPOnly protection flag, allowing attackers to steal them through cross-site scripting attacks and hijack user sessions.

Technical detail

CWE-1004: Missing HTTPOnly flag on session cookies in the web management interface allows JavaScript-based attackers to access session tokens via XSS; exploitation requires network proximity or user interaction with a malicious script, potentially leading to unauthorized administrative access.

Summary generated and translated by AI from the official description.

This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing HTTPOnly flag for the session cookies associated with the router's web management interface. An attacker with remote access could exploit this by intercepting transmission within an HTTP session on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to capture cookies and obtain sensitive information on the targeted system.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected products

SyroTech · SyroTech SY-GPON-1110-WDONT router

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0225 https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0225