CVE-2025-27453

Published Jul 3, 2025

Last updated 4 months ago

CVSS medium 5.3

Overview

Description
The HttpOnly flag is set to false on the PHPSESSION cookie. Therefore, the cookie can be accessed by other sources such as JavaScript.
Source
psirt@sick.de
NVD status
Analyzed
Products
meac300-fnade4_firmware

Risk scores

CVSS 3.1

Type
Primary
Base score
6.5
Impact score
3.6
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Severity
MEDIUM

Weaknesses

psirt@sick.de
CWE-1004

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. During startup, the device automatically logs in the EPC2 Windows user without requesting a password.CVE-2025-27461
  2. The hard drives of the device are not encrypted using a full volume encryption feature such as BitLocker. This allows an attacker with physical access to the device to use an alternative operating system to interact with the hard drives, completely circumventing the Windows login. The attacker can read from and write to all files on the hard drives.CVE-2025-27460
  3. The VNC application stores its passwords encrypted within the registry but uses DES for encryption. As DES is broken, the original passwords can be recovered.CVE-2025-27459
  4. The SMB server's login mechanism does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks.CVE-2025-27456
  5. The web application is vulnerable to clickjacking attacks. The site can be embedded into another frame, allowing an attacker to trick a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects.CVE-2025-27455

References

Sources include official advisories and independent security research.