CVE-2021-40649
Description
Connx 6.2.0.1269 sets a cookie without the HttpOnly flag, allowing XSS token theft or session hijacking via client-side script access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Connx 6.2.0.1269 sets a cookie without the HttpOnly flag, allowing XSS token theft or session hijacking via client-side script access.
Vulnerability
In Connx version 6.2.0.1269 (20210623), the application issues the TSWAAuthClientSideCookie cookie without the HttpOnly flag. This allows client-side scripts (JavaScript) to access the cookie. The affected software is Connx Remote Desktop Web (RDWeb) component, deployed on Microsoft IIS 10.0. The cookie is set in the HTTP response with Set-Cookie: TSWAAuthClientSideCookie=... and lacks the HttpOnly attribute, unlike another cookie (TSWAAuthHttpOnlyCookie) which correctly includes Secure; HttpOnly [1].
Exploitation
An attacker needs to have some way to inject client-side script into responses served by the Connx application — typically via a cross-site scripting (XSS) vulnerability or by intercepting and modifying responses (e.g., in a man-in-the-middle scenario with HTTP, though the cookie uses the Secure flag). If the attacker can execute arbitrary JavaScript in the victim's browser in the context of the Connx application, they can read the TSWAAuthClientSideCookie via document.cookie. The cookie contains authentication-relevant data (Name, MachineType, WorkSpaceID) that can be exfiltrated to an attacker-controlled server [1].
Impact
An attacker who successfully exfiltrates the TSWAAuthClientSideCookie can impersonate the victim user to the Connx application, potentially gaining unauthorized access to remote desktop sessions or resources associated with the user's workspace. The impact is information disclosure of session credentials and potential session hijacking, leading to a compromise of confidentiality and possibly integrity (if the attacker can perform actions as the victim) [1].
Mitigation
No official fix or patch version has been disclosed for this vulnerability in the available references as of the publication date. The vendor was reportedly contacted on 2021-09-07 via the Connx support portal, but no response or patch has been released [1]. Administrators should consider restricting client-side script execution via CSP headers, or applying additional web application firewall rules to mitigate exploitation until a patch is available.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Connx/Connxdescription
- Range: =6.2.0.1269
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- connx.commitrex_refsource_MISC
News mentions
0No linked articles in our index yet.