CVE-2025-27453
CVE-2025-27453
In short
A website's session cookie is not protected from JavaScript access, allowing scripts to steal your login information. This means malicious code on the page could capture your session and impersonate you.
Technical detail
The PHPSESSION cookie lacks the HttpOnly flag, enabling client-side script access via DOM APIs. An attacker can exploit this through XSS vulnerabilities or malicious JavaScript to exfiltrate session tokens and hijack authenticated user sessions.
Summary generated and translated by AI from the official description.
The HttpOnly flag is set to false on the PHPSESSION cookie. Therefore, the cookie can be accessed by other sources such as JavaScript.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Affected products
Endress+Hauser · Endress+Hauser MEAC300-FNADE4Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://sick.com/psirthttps://www.cisa.gov/resources-tools/resources/ics-recommended-practiceshttps://www.endress.comhttps://www.first.org/cvss/calculator/3.1https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.jsonhttps://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.pdf