CVE-2021-40650

Vulnerability

In Connx version 6.2.0.1269 (20210623), the application sets a cookie (Set-Cookie: .ASPXANONYMOUS) without the Secure flag. The cookie is transmitted over HTTPS but the missing flag means it can also be sent over unencrypted HTTP connections, violating best practices for secure session handling. [1]

Exploitation

An attacker in a position to perform a man-in-the-middle attack on an unencrypted HTTP connection (e.g., on a compromised or open Wi-Fi network) can intercept the cookie. The cookie, HttpOnly but not Secure, would be transmitted over HTTP if the application does not enforce HTTPS redirects for all pages. No user interaction beyond the victim using the application over an untrusted network is required. [1]

Impact

A successful attacker can obtain the session cookie, allowing them to impersonate the victim and gain unauthorized access to the application's functionality and data under the victim's privileges. This leads to potential information disclosure and account takeover. [1]

Mitigation

The application must be configured to set the Secure flag on all cookies, ensuring they are only transmitted over HTTPS. As of the published reference, no fixed version is mentioned by the vendor. Administrators should enforce HTTPS-only communication and set the Secure flag on the cookie via application configuration or web server rules. [1]