CRITICAL🇵🇱 Wersja polska

CVE-2025-26844

CVSS 9.8v3.1pub. 2025-05-08upd. 2025-06-12

An issue was discovered in Znuny through 7.1.3. A cookie is set without the HttpOnly flag.

🤖 AI Analysis
How it works

The HttpOnly flag in the HTTP cookie header prevents client-side scripts (e.g., JavaScript) from accessing its value. When this flag is not set, an attacker can exploit an XSS vulnerability or other script execution mechanism in the victim's browser to read the cookie value and hijack the logged-in user's session. The absence of this flag is classified as CWE-1004 (Sensitive Cookie Without 'HttpOnly' Flag).

Impact

An attacker can steal the victim's session cookie and take over their authenticated session in the application, gaining access to data and functions with the privileges of the attacked user.

Mitigation & patch

Apply patches available from the vendor according to the references (https://www.znuny.org/en/advisories/zsa-2025-05). It is recommended to update to a version higher than 7.1.3.

Who is affected

Znuny in versions up to and including 7.1.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Znuny

    APP
    Znuny
    ≤ 7.1.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-26846CRITICAL9.8PL ✓ten sam produkt

Brak weryfikacji uprawnień w Generic Interface systemu Znuny (eskalacja uprawnień)

CVE-2025-26845CRITICAL9.8PL ✓ten sam produkt

Eval Injection w Znuny umożliwia zdalne wykonanie poleceń

CVE-2024-32491CRITICAL9.8PL ✓ten sam produkt

Path traversal i RCE w Znuny poprzez manipulację żądaniem AJAX

CVE-2025-26842HIGH7.5ten sam produkt

An issue was discovered in Znuny through 7.1.3. If access to a ticket is not given, the content of S/MIME encr...

CVE-2025-26847HIGH7.5ten sam produkt

An issue was discovered in Znuny before 7.1.5. When generating a support bundle, not all passwords are masked.