CVE-2024-41685

This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing HTTPOnly flag for the session cookies associated with the router's web management interface. An attacker with remote access could exploit this by intercepting transmission within an HTTP session on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to capture cookies and obtain sensitive information on the targeted system.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:syrotech:sy-gpon-1110-wdont_firmware:3.1.02-231102:*:*:*:*:*:*:*
cpe:2.3:h:syrotech:sy-gpon-1110-wdont:-:*:*:*:*:*:*:*

History

10 Oct 2024, 12:48

Type Values Removed Values Added
CPE cpe:2.3:h:syrotech:sy-gpon-1110-wdont:*:*:*:*:*:*:*:* cpe:2.3:h:syrotech:sy-gpon-1110-wdont:-:*:*:*:*:*:*:*

06 Aug 2024, 12:51

Type Values Removed Values Added
First Time Syrotech
Syrotech sy-gpon-1110-wdont
Syrotech sy-gpon-1110-wdont Firmware
References () https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0225 - () https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0225 - Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
CPE cpe:2.3:h:syrotech:sy-gpon-1110-wdont:*:*:*:*:*:*:*:*
cpe:2.3:o:syrotech:sy-gpon-1110-wdont_firmware:3.1.02-231102:*:*:*:*:*:*:*
CWE CWE-732

01 Aug 2024, 08:15

Type Values Removed Values Added
References
  • {'url': 'https://cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0225', 'source': 'vdisclose@cert-in.org.in'}
  • () https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0225 -
Summary
  • (es) Esta vulnerabilidad existe en el enrutador SyroTech SY-GPON-1110-WDONT debido a la falta de la etiqueta HTTPOnly para las cookies de sesión asociadas con la interfaz de administración web del enrutador. Un atacante con acceso remoto podría aprovechar esto interceptando la transmisión dentro de una sesión HTTP en el sistema vulnerable. La explotación exitosa de esta vulnerabilidad podría permitir al atacante capturar cookies y obtener información sensible en el sistema objetivo.

26 Jul 2024, 12:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-26 12:15

Updated : 2024-10-10 12:48


NVD link : CVE-2024-41685

Mitre link : CVE-2024-41685

CVE.ORG link : CVE-2024-41685


JSON object : View

Products Affected

syrotech

  • sy-gpon-1110-wdont
  • sy-gpon-1110-wdont_firmware
CWE
CWE-732

Incorrect Permission Assignment for Critical Resource

CWE-1004

Sensitive Cookie Without 'HttpOnly' Flag