CVE-2022-21939 HIGH

CVE-2022-21939: Sensitive cookie without 'HttpOnly' flag in System Configuration Tool (SCT)

Vendor Johnson Controls

Product System Configuration Tool (SCT)

Weakness CWE-1004

Published February 9, 2023

Last update March 24, 2025

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.

Key dates

02Disclosure timeline

February 9, 2023 CVE published

March 24, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-21939 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/1004.html

Related vulnerabilities

Identifiers

CVE CVE-2022-21939

CWE CWE-1004

CVSS 7.5 / HIGH

Affected versions

Vendor Johnson Controls

Product System Configuration Tool (SCT)

Affected ≥ 14 and < 14.2.3

Vendor Johnson Controls

Product System Configuration Tool (SCT)

Affected ≥ 15 and < 15.0.3

CVE-2022-21939: Sensitive cookie without 'HttpOnly' flag in System Configuration Tool (SCT)

01Description

02Disclosure timeline

03References

04Related CVE