This issue could lead to the disclosure of sensitive data if an attacker tricks a user into visiting a malicious website.
Unisys Data Exchange Management Studio before 6.0.IC2 and 7.x before 7.0.IC1 uses the GET request to perform certain tasks that require an update. However, the GET request does not provide a way to update certain fields. Therefore, an attacker could perform an unauthorized update to a system that requires high security.
Unisys Data Exchange Management Studio before 6.0.IC2 and 7.x before 7.0.IC1 doesn't have a built-in way to validate non-secure cookies. This issue could allow an attacker to steal cookies and other data from a target system.
Unisys Data Exchange Management Studio before 6.0.IC2 and 7.x before 7.0.IC1 doesn't have a way to validate the HttpOnly attribute of a cookie. This issue could allow an attacker to steal cookie data from a target system.
Unisys Data Exchange Management Studio before 6.0.IC2 and 7.x before 7.0.IC1 doesn't have a way to validate the Secure attribute of a cookie. This issue could allow an attacker to steal cookie data from a target system.
Unisys Data Exchange Management Studio before 6.0.IC2 and 7.x before 7.0.IC1 doesn't have a way to
How do I find out if my system is vulnerable?
Unisys Data Exchange Management Studio before 6.0.IC2 and 7.x before 7.0.IC1 is not vulnerable to this issue, but you should contact Unisys to find out if your system is vulnerable.
Check the Version of Unisys Data Exchange Management Studio Software
Make sure the system is running Unisys Data Exchange Management Studio before 6.0.IC2. If it isn't, then update it to this version as soon as possible.
Unisys Data Exchange Management Studio before 6.0.IC2 and 7.x before 7.0.IC1 uses a GET request to perform certain tasks that require an update. However, the GET request does not provide a way to update certain fields; therefore, an attacker could perform an unauthorized update to a system that requires high security or steal cookies and other data from a target system by using these vulnerabilities.
Unisys Data Exchange Management Studio before 6.0.IC2 and 7.x before 7.0.IC1 doesn't have a built-in way to validate non-secure cookies; therefore, an attacker could steal cookies and other data from a target system by using these vulnerabilities that exist in the software's HTTP request processing functions, which are performed on behalf of users who don't have access privileges over their own systems or who don't have full control over their systems' configurations and settings (such as Java permissions).
Unisys Data Exchange Management Studio before 6.0.IC2 and 7.x before 7.0 IC1 doesn't have a way to validate the HttpOnly attribute of a cookie; therefore, an attacker can steal cookie data from a target system by using these vulnerabilities that exist in the software's HTTP request processing functions
Timeline
Published on: 09/13/2022 20:15:00 UTC
Last modified on: 09/17/2022 00:18:00 UTC