Reliance on Cookies without Validation and Integrity Checking vulnerability in Talya Informatics Elektraweb allows Session Credential Falsification through Manipulation, Accessing/Intercepting/Modifying HTTP Cookies, Manipulating Opaque Client-based Data Tokens. This issue affects Elektraweb: before v17.0.68.
The Elektraweb application stores session data in cookies without proper verification of their integrity and authenticity. An attacker can modify cookie values or intercept and replace session tokens transmitted over HTTP. Since the application does not verify the validity of this data, manipulated cookies are accepted as valid, allowing the attacker to assume the identity of another user.
An attacker can forge or take over the session of any application user, gaining unauthorized access to their data and system functions. As a result, it is possible to violate the confidentiality, integrity, and availability of data processed by Elektraweb.
Elektraweb should be updated to version v17.0.68 or newer. Detailed information is available in the manufacturer's references and in the USOM message under number TR-24-0808.
Talya Informatics Elektraweb in versions prior to v17.0.68
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H