CVE-2021-34563

CWE-10043 documents3 sources

Severity

3.3LOW

EPSS

0.0%

top 85.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Phoenix Contact Wha-gw-f2d2-0-as- Z2-eth Phoenix Contact Wha-gw-f2d2-0-as- Z2-eth.eip Pepperl-fuchs Wha-gw-f2d2-0-as-z2-eth.eip Firmware +1 more

Timeline

PublishedAug 31

Latest updateMay 24

Description

In PEPPERL+FUCHS WirelessHART-Gateway 3.0.8 and 3.0.9 the HttpOnly attribute is not set on a cookie. This allows the cookie's value to be read or set by client-side JavaScript.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages4 packages

▶CVEListV5phoenix_contact/wha-gw-f2d2-0-as-_z2-eth3.0.8, 3.0.9+1

▶CVEListV5phoenix_contact/wha-gw-f2d2-0-as-_z2-eth.eip3.0.8, 3.0.9+1

▶NVDpepperl-fuchs/wha-gw-f2d2-0-as-z2-eth_firmware3.0.8, 3.0.9+1

▶NVDpepperl-fuchs/wha-gw-f2d2-0-as-z2-eth.eip_firmware3.0.8, 3.0.9+1

🔴Vulnerability Details

GHSA

GHSA-mh9v-6mm6-9gm4: In PEPPERL+FUCHS WirelessHART-Gateway 3↗2022-05-24

▶

CVEList

In WirelessHART-Gateway versions 3.0.8 and 3.0.9 the HttpOnly flag is missing in a cookie which allows client-side javascript to modify it↗2021-08-31

▶