CVE-2024-49709

Internet Starter, one of SoftCOM iKSORIS system modules, allows for setting an arbitrary session cookie value. An attacker with an access to user's browser might set such a cookie, wait until the user logs in and then use the same cookie to take over the account. Moreover, the system does not destroy the old sessions when creating new ones, what expands the time frame in which an attack might be performed. This vulnerability has been patched in version 79.0

CVSS v3 4.4 MEDIUM

4.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 2.5

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://cert.pl/en/posts/2025/04/CVE-2024-10087	Third Party Advisory
https://www.iksoris.pl/system-rezerwacji-i-sprzedazy-biletow-iksoris.html	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:softcom.wroc:iksoris:*:*:*:*:*:*:*:*

History

28 Oct 2025, 17:07

Type	Values Removed	Values Added
References	~~() https://cert.pl/en/posts/2025/04/CVE-2024-10087 -~~	() https://cert.pl/en/posts/2025/04/CVE-2024-10087 - Third Party Advisory
References	~~() https://www.iksoris.pl/system-rezerwacji-i-sprzedazy-biletow-iksoris.html -~~	() https://www.iksoris.pl/system-rezerwacji-i-sprzedazy-biletow-iksoris.html - Product
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.4
CPE		cpe:2.3:a:softcom.wroc:iksoris::::::::
First Time		Softcom.wroc Softcom.wroc iksoris

15 Apr 2025, 18:39

Type	Values Removed	Values Added
Summary		(es) Internet Starter, uno de los módulos del sistema SoftCOM iKSORIS, permite configurar un valor arbitrario para las cookies de sesión. Un atacante con acceso al navegador del usuario podría configurar dicha cookie, esperar a que el usuario inicie sesión y usarla para robar la cuenta. Además, el sistema no destruye las sesiones antiguas al crear nuevas, lo que amplía el plazo para realizar un ataque. Esta vulnerabilidad ha sido corregida en la versión 79.0.

14 Apr 2025, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-14 12:15

Updated : 2025-10-28 17:07

NVD link : CVE-2024-49709

Mitre link : CVE-2024-49709

CVE.ORG link : CVE-2024-49709

JSON object : View

Products Affected

softcom.wroc

iksoris

CWE

CWE-384

Session Fixation

{"id": "CVE-2024-49709", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "cvd@cert.pl", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-04-14T12:15:15.707", "references": [{"url": "https://cert.pl/en/posts/2025/04/CVE-2024-10087", "tags": ["Third Party Advisory"], "source": "cvd@cert.pl"}, {"url": "https://www.iksoris.pl/system-rezerwacji-i-sprzedazy-biletow-iksoris.html", "tags": ["Product"], "source": "cvd@cert.pl"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "cvd@cert.pl", "description": [{"lang": "en", "value": "CWE-384"}]}], "descriptions": [{"lang": "en", "value": "Internet Starter, one of SoftCOM iKSORIS system modules,\u00a0allows for setting an arbitrary session cookie value. An attacker with an access to user's browser might set such a cookie, wait until the user logs in and then use the same cookie to take over the account. \nMoreover, the system does not destroy the old sessions when creating new ones, what expands the time frame in which an attack might be performed.\u00a0\nThis vulnerability has been patched in version 79.0"}, {"lang": "es", "value": "Internet Starter, uno de los m\u00f3dulos del sistema SoftCOM iKSORIS, permite configurar un valor arbitrario para las cookies de sesi\u00f3n. Un atacante con acceso al navegador del usuario podr\u00eda configurar dicha cookie, esperar a que el usuario inicie sesi\u00f3n y usarla para robar la cuenta. Adem\u00e1s, el sistema no destruye las sesiones antiguas al crear nuevas, lo que ampl\u00eda el plazo para realizar un ataque. Esta vulnerabilidad ha sido corregida en la versi\u00f3n 79.0."}], "lastModified": "2025-10-28T17:07:50.510", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:softcom.wroc:iksoris:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FBEAE944-6510-4EC5-9B56-3A279DCD02D3", "versionEndExcluding": "79.0"}], "operator": "OR"}]}], "sourceIdentifier": "cvd@cert.pl"}