CVE-2022-38846

{"id": "CVE-2022-38846", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2022-09-16T14:15:09.670", "references": [{"url": "https://medium.com/cybersecurity-valuelabs/espocrm-7-1-8-is-vulnerable-to-missing-secure-flag-1664bac5ffe4", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-319"}]}], "descriptions": [{"lang": "en", "value": "EspoCRM version 7.1.8 is vulnerable to Missing Secure Flag allowing the browser to send plain text cookies over an insecure channel (HTTP). An attacker may capture the cookie from the insecure channel using MITM attack."}, {"lang": "es", "value": "EspoCRM versi\u00f3n 7.1.8, es vulnerable a Un Flag de Seguridad Faltante que permite al navegador enviar cookies de texto plano a trav\u00e9s de un canal inseguro (HTTP). Un atacante puede capturar la cookie desde el canal inseguro usando un ataque MITM"}], "lastModified": "2022-09-17T02:26:16.420", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:espocrm:espocrm:7.1.8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D43B363E-F815-45B5-9012-8DA44D92F0FC"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}