CVE-2021-42115 : What You Need to Know

This CVE describes a vulnerability in Business-DNA Solutions GmbH's TopEase platform version <= 7.1.27, allowing remote attackers to escalate privileges via stealing and injecting session-independent cookies.

Understanding CVE-2021-42115

What is CVE-2021-42115?

Business-DNA Solutions GmbH's TopEase platform version <= 7.1.27 is affected by a missing HTTPOnly flag vulnerability, enabling unauthenticated remote attackers to elevate privileges.

The Impact of CVE-2021-42115

The vulnerability allows attackers to transition from unauthenticated to authenticated users by manipulating session cookies.

Technical Details of CVE-2021-42115

Vulnerability Description

The flaw arises from the absence of the HTTPOnly flag in sensitive cookies used by web applications on the TopEase platform.

Affected Systems and Versions

Product: TopEase
Vendor: Business-DNA Solutions GmbH
Versions Affected: <= 7.1.27

Exploitation Mechanism

Attackers can escalate their privileges by stealing and injecting the session-independent and static cookie UID.

Mitigation and Prevention

Immediate Steps to Take

Implement the HTTPOnly flag for cookies to prevent session theft.
Regularly monitor and audit session management mechanisms.
Utilize multi-factor authentication to mitigate unauthorized access.

Long-Term Security Practices

Conduct security assessments and penetration testing regularly.
Educate users about secure session management practices.

Patching and Updates

Apply patches and updates provided by Business-DNA Solutions GmbH to fix the vulnerability.