Cookies of authenticated Advantech ADAM-5630 users remain as active valid cookies when a
session is closed. Forging requests with a legitimate cookie, even if
the session was terminated, allows an unauthorized attacker to act with
the same level of privileges of the legitimate user.
Fixes

Solution

Advantech recommends users upgrade their ADAM-5630 devices to version 2.5.2 https://www.advantech.com/zh-tw/support/details/firmware .


Workaround

No workaround given by the vendor.

History

Mon, 07 Oct 2024 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Advantech adam-5630
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:h:advantech:adam-5630:-:*:*:*:*:*:*:*
Vendors & Products Advantech adam-5630

Fri, 27 Sep 2024 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Advantech
Advantech adam-5630 Firmware
CPEs cpe:2.3:o:advantech:adam-5630_firmware:*:*:*:*:*:*:*:*
Vendors & Products Advantech
Advantech adam-5630 Firmware
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 27 Sep 2024 17:45:00 +0000

Type Values Removed Values Added
Description Cookies of authenticated Advantech ADAM-5630 users remain as active valid cookies when a session is closed. Forging requests with a legitimate cookie, even if the session was terminated, allows an unauthorized attacker to act with the same level of privileges of the legitimate user.
Title Advantech ADAM-5630 Use of Persistent Cookies Containing Sensitive Information
Weaknesses CWE-539
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2024-09-27T18:14:05.172Z

Reserved: 2024-06-26T15:26:29.592Z

Link: CVE-2024-39275

cve-icon Vulnrichment

Updated: 2024-09-27T18:13:58.969Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-27T18:15:05.173

Modified: 2024-10-07T15:25:17.050

Link: CVE-2024-39275

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.