CVE-2024-49709 LOW

CVE-2024-49709: XSS in iKSORIS

Vendor Softcom
Product iKSORIS
Weakness CWE-384 · Session fixation
Published April 14, 2025
Last update April 14, 2025

CVSS base score

2.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Internet Starter, one of SoftCOM iKSORIS system modules, allows for setting an arbitrary session cookie value. An attacker with an access to user's browser might set such a cookie, wait until the user logs in and then use the same cookie to take over the account. Moreover, the system does not destroy the old sessions when creating new ones, what expands the time frame in which an attack might be performed.  This vulnerability has been patched in version 79.0

Key dates

02Disclosure timeline

April 14, 2025 CVE published
April 14, 2025 Record updated