Impact
EasyFlow .NET contains a session fixation flaw (CWE‑384) that lets an unauthenticated remote attacker replace a specific session ID for a legitimate user. When the victim subsequently logs in, the attacker can access the user’s privileged session, effectively hijacking the user’s identity. This vulnerability results in unauthorized access to user accounts and the data and actions they are permitted to perform.
Affected Systems
The vulnerability affects Digiwin EasyFlow .NET deployments running versions prior to 8.1.5. Any installation that has not applied the update released by Digiwin is vulnerable.
Risk and Exploitability
The CVSS score of 7.7 indicates high severity, and the attack can be carried out from a remote network without authentication by manipulating HTTP headers or cookies. While no EPSS data is provided and the issue is not listed in KEV, the potential impact on confidentiality, integrity and availability warrants rapid remediation. Attackers can exploit the flaw by sending a crafted request that sets a known session ID for a target user, then waiting for the user to authenticate to gain that session. This makes the vulnerability easily exploitable in environments where session cookies are not regenerated after login.
OpenCVE Enrichment