CVE-2022-31798
Published: 25 August 2022
Summary
CVE-2022-31798 is a medium-severity Session Fixation (CWE-384) vulnerability in Nortekcontrol Emerge E3 Firmware. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Nortek Linear eMerge E3-Series devices running firmware 0.32-07p are affected by a reflected cross-site scripting flaw in the card_scan.php endpoint that accepts an unsanitized CardFormatNo parameter. The same request path also permits session fixation via the PHPSESSID cookie, and the two issues can be chained together. The vulnerability is tracked as CWE-384 and carries a CVSS 3.1 score of 6.1.
An unauthenticated remote attacker can supply a crafted URL containing both the XSS payload and a chosen session identifier. When an administrator or user follows the link, the attacker-controlled PHPSESSID becomes bound to the victim’s session while script executes in the application’s origin. This allows the attacker to hijack the authenticated session and assume control of either a standard user or administrative account.
Public exploit code demonstrating the account-takeover technique has been released on Packet Storm and in a GitHub Gist. The CVE’s current EPSS score of 0.8661 matches its recorded peak, reflecting sustained exploitation interest since disclosure. No vendor advisory or patch information appears in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-53188
Vulnerability details
Nortek Linear eMerge E3-Series 0.32-07p devices are vulnerable to /card_scan.php?CardFormatNo= XSS with session fixation (via PHPSESSID) when they are chained together. This would allow an attacker to take over an admin account or a user account.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Session termination after a set interval shortens the usable lifetime of a fixed session identifier, making successful exploitation of session fixation more difficult.
Re-authentication typically forces issuance of a new session, limiting the window for exploitation of a previously fixed session identifier.
Enforces proper session ID generation and binding, preventing fixation of a known session token.