An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior. An attacker can establish a new user session, without invalidating any existing session identifier, which gives the opportunity to steal authenticated sessions (SESSION FIXATION).
Ha sido descubierto un problema en el controlador XL1000C500 XLWebExe-2-01-00 de XLWebExe-2 y anteriores y XLWebExe-1-02-08 y anteriores de XLWebExe-1-02-08 de Honeywell XL Web. Un atacante puede establecer una nueva sesión de usuario, sin invalidar ningún identificador de sesión existente, lo que le da la oportunidad de robar sesiones autenticadas (REPARACIÓN DE SESIÓN).
AV:N/AC:L/Au:S/C:P/I:P/A:P
| Access Vector | NETWORK |
|---|---|
| Access Complexity | LOW |
| Authentication | SINGLE |
| Confidentiality Impact | PARTIAL |
| Integrity Impact | PARTIAL |
| Availability Impact | PARTIAL |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
CWE-384
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| honeywell | xl_web_ii_controller | xlwebexe-1-02-08 | <built-in method update of dict object at 0x7c3c40dd7480> | Operating System |
| honeywell | xl_web_ii_controller | xlwebexe-2-01-00 | <built-in method update of dict object at 0x7c3c40d56440> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:honeywell:xl_web_ii_controller:xlwebexe-1-02-08:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:honeywell:xl_web_ii_controller:xlwebexe-2-01-00:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| No | cpe:2.3:h:honeywell:xl_web_ii_controller:-:*:*:*:*:*:*:* |