Strix
26.1K

CVE-2024-49709

LOWCVSS 2.3/10EPSS 0.18%

Last modified

CVE-2024-49709 is a low-severity vulnerability rated 2.3/10 on the CVSS scale. Internet Starter, one of SoftCOM iKSORIS system modules, allows for setting an arbitrary session cookie value. An attacker with an access to user's browser might set such a cookie, wait until the user logs in and then use the same cookie to take over the account. EPSS estimates a 0.18% chance of exploitation in the next 30 days.

Description

Internet Starter, one of SoftCOM iKSORIS system modules, allows for setting an arbitrary session cookie value. An attacker with an access to user's browser might set such a cookie, wait until the user logs in and then use the same cookie to take over the account. Moreover, the system does not destroy the old sessions when creating new ones, what expands the time frame in which an attack might be performed.  This vulnerability has been patched in version 79.0

Metrics

CVSS 3.1
4.4/10

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS 4.0
2.3/10

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability
0.18%

7.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
Softcom.WrocIksoris< 79.0

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2024-49709?
Internet Starter, one of SoftCOM iKSORIS system modules, allows for setting an arbitrary session cookie value. An attacker with an access to user's browser might set such a cookie, wait until the user logs in and then use the same cookie to take over the account. Moreover, the system does not destroy the old sessions when creating new ones, what expands the time frame in which an attack might be performed.  This vulnerability has been patched in version 79.0
How severe is CVE-2024-49709?
CVE-2024-49709 has a CVSS score of 2.3/10 (LOW severity). The EPSS model estimates a 0.18% probability of exploitation in the next 30 days.
How do I fix CVE-2024-49709?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-49709?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST