CVE-2022-38628

MEDIUM Year: 2022
CVSS v3 Score
6.1
Medium
Weakness Type
CWE-384
View all →

Vulnerability Description

Nortek Linear eMerge E3-Series 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e were discovered to contain a cross-site scripting (XSS) vulnerability which is chained with a local session fixation. This vulnerability allows attackers to escalate privileges via unspecified vectors.

Related Vulnerabilities

CVE-2014-10399

MEDIUM
CVSS:6.1(Medium)

The session.lua library in CGILua 5.1.x uses the same ID for each session, which allows remote attackers to hijack arbitrary sessions. NOTE: this vulnerability was SPLIT from CVE-2014-2875.

CWE-3842014

CVE-2014-10400

MEDIUM
CVSS:6.1(Medium)

The session.lua library in CGILua 5.0.x uses sequential session IDs, which makes it easier for remote attackers to predict the session ID and hijack arbitrary sessions. NOTE: this vulnerability was SP...

CWE-3842014

CVE-2021-35046

MEDIUM
CVSS:6.1(Medium)

A session fixation vulnerability was discovered in Ice Hrm 29.0.0 OS which allows an attacker to hijack a valid user session via a crafted session cookie.

CWE-3842021

CVE-2022-31798

MEDIUM
CVSS:6.1(Medium)

Nortek Linear eMerge E3-Series 0.32-07p devices are vulnerable to /card_scan.php?CardFormatNo= XSS with session fixation (via PHPSESSID) when they are chained together. This would allow an attacker to...

CWE-3842022

CVE-2017-5141

MEDIUM
CVSS:6.0(Medium)

An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior. An attacker can establish a new user session, without invalid...

CWE-3842017

CVE-2017-10600

MEDIUM
CVSS:5.9(Medium)

ubuntu-image 1.0 before 2017-07-07, when invoked as non-root, creates files in the resulting image with the uid of the invoking user. When the resulting image is booted, a local attacker with the same...

CWE-3842017