CVE-2025-12031 - Vulnerability Details - OpenCVE

HTTP Security Misconfiguration - Lacking Secure and HTTPOnly Attribute may allow reading the sensitive cookies from the javascript contextThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://azure-access.com/security-advisories

History

Tue, 21 Oct 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 21 Oct 2025 17:30:00 +0000

Type	Values Removed	Values Added
Description		HTTP Security Misconfiguration - Lacking Secure and HTTPOnly Attribute may allow reading the sensitive cookies from the javascript contextThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
Title		HTTP Security Misconfiguration - Lacking Secure and HTTPOnly Attribute
Weaknesses		CWE-1004
References		https://azure-access.com/security-advisories
Metrics		cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L'}`

MITRE

Status: PUBLISHED

Assigner: azure-access

Published: 2025-10-21T17:22:36.176Z

Updated: 2025-10-21T18:17:10.703Z

Reserved: 2025-10-21T17:16:07.117Z

Link: CVE-2025-12031

Vulnrichment

Updated: 2025-10-21T18:17:06.633Z

NVD

Status : Awaiting Analysis

Published: 2025-10-21T18:15:36.157

Modified: 2025-10-21T19:31:25.450

Link: CVE-2025-12031

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-12031", "assignerOrgId": "a0340c66-c385-4f8b-991b-3d05f6fd5220", "state": "PUBLISHED", "assignerShortName": "azure-access", "dateReserved": "2025-10-21T17:16:07.117Z", "datePublished": "2025-10-21T17:22:36.176Z", "dateUpdated": "2025-10-21T18:17:10.703Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "BLU-IC2", "vendor": "Azure Access Technology", "versions": [{"lessThanOrEqual": "1.19.5", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "BLU-IC4", "vendor": "Azure Access Technology", "versions": [{"lessThanOrEqual": "1.19.5", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Kevin Schaller"}, {"lang": "en", "type": "finder", "value": "Benjamin Lafois"}, {"lang": "en", "type": "finder", "value": "Alexi Bitsios"}, {"lang": "en", "type": "finder", "value": "Sebastian Toscano"}, {"lang": "en", "type": "finder", "value": "Dominik Schneider"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "HTTP Security Misconfiguration - Lacking Secure and HTTPOnly Attribute may allow reading the sensitive cookies from the javascript context<p>This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.</p>"}], "value": "HTTP Security Misconfiguration - Lacking Secure and HTTPOnly Attribute may allow reading\u00a0the sensitive cookies from the javascript contextThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5."}], "impacts": [{"capecId": "CAPEC-107", "descriptions": [{"lang": "en", "value": "CAPEC-107 Cross Site Tracing"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1004", "description": "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a0340c66-c385-4f8b-991b-3d05f6fd5220", "shortName": "azure-access", "dateUpdated": "2025-10-21T17:22:36.176Z"}, "references": [{"url": "https://azure-access.com/security-advisories"}], "source": {"discovery": "UNKNOWN"}, "title": "HTTP Security Misconfiguration - Lacking Secure and HTTPOnly Attribute", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-21T18:16:56.465919Z", "id": "CVE-2025-12031", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-21T18:17:10.703Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12031", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-21T18:16:56.465919Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-21T18:17:06.633Z"}}], "cna": {"title": "HTTP Security Misconfiguration - Lacking Secure and HTTPOnly Attribute", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Kevin Schaller"}, {"lang": "en", "type": "finder", "value": "Benjamin Lafois"}, {"lang": "en", "type": "finder", "value": "Alexi Bitsios"}, {"lang": "en", "type": "finder", "value": "Sebastian Toscano"}, {"lang": "en", "type": "finder", "value": "Dominik Schneider"}], "impacts": [{"capecId": "CAPEC-107", "descriptions": [{"lang": "en", "value": "CAPEC-107 Cross Site Tracing"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Azure Access Technology", "product": "BLU-IC2", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.19.5"}], "defaultStatus": "unaffected"}, {"vendor": "Azure Access Technology", "product": "BLU-IC4", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.19.5"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://azure-access.com/security-advisories"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "HTTP Security Misconfiguration - Lacking Secure and HTTPOnly Attribute may allow reading\u00a0the sensitive cookies from the javascript contextThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.", "supportingMedia": [{"type": "text/html", "value": "HTTP Security Misconfiguration - Lacking Secure and HTTPOnly Attribute may allow reading the sensitive cookies from the javascript context<p>This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1004", "description": "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"}]}], "providerMetadata": {"orgId": "a0340c66-c385-4f8b-991b-3d05f6fd5220", "shortName": "azure-access", "dateUpdated": "2025-10-21T17:22:36.176Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12031", "state": "PUBLISHED", "dateUpdated": "2025-10-21T18:17:10.703Z", "dateReserved": "2025-10-21T17:16:07.117Z", "assignerOrgId": "a0340c66-c385-4f8b-991b-3d05f6fd5220", "datePublished": "2025-10-21T17:22:36.176Z", "assignerShortName": "azure-access"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "HTTP Security Misconfiguration - Lacking Secure and HTTPOnly Attribute may allow reading\u00a0the sensitive cookies from the javascript contextThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5."}], "id": "CVE-2025-12031", "lastModified": "2025-10-21T19:31:25.450", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "a0340c66-c385-4f8b-991b-3d05f6fd5220", "type": "Secondary"}]}, "published": "2025-10-21T18:15:36.157", "references": [{"source": "a0340c66-c385-4f8b-991b-3d05f6fd5220", "url": "https://azure-access.com/security-advisories"}], "sourceIdentifier": "a0340c66-c385-4f8b-991b-3d05f6fd5220", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1004"}], "source": "a0340c66-c385-4f8b-991b-3d05f6fd5220", "type": "Secondary"}]}