Cyber Resilience

CVE-2022-31798

MediumPublic PoC

Published: 25 August 2022

Published
25 August 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.8661 99.4th percentile
Risk Priority 64 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-31798 is a medium-severity Session Fixation (CWE-384) vulnerability in Nortekcontrol Emerge E3 Firmware. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Nortek Linear eMerge E3-Series devices running firmware 0.32-07p are affected by a reflected cross-site scripting flaw in the card_scan.php endpoint that accepts an unsanitized CardFormatNo parameter. The same request path also permits session fixation via the PHPSESSID cookie, and the two issues can be chained together. The vulnerability is tracked as CWE-384 and carries a CVSS 3.1 score of 6.1.

An unauthenticated remote attacker can supply a crafted URL containing both the XSS payload and a chosen session identifier. When an administrator or user follows the link, the attacker-controlled PHPSESSID becomes bound to the victim’s session while script executes in the application’s origin. This allows the attacker to hijack the authenticated session and assume control of either a standard user or administrative account.

Public exploit code demonstrating the account-takeover technique has been released on Packet Storm and in a GitHub Gist. The CVE’s current EPSS score of 0.8661 matches its recorded peak, reflecting sustained exploitation interest since disclosure. No vendor advisory or patch information appears in the available references.

EU & UK References

Vulnerability details

Nortek Linear eMerge E3-Series 0.32-07p devices are vulnerable to /card_scan.php?CardFormatNo= XSS with session fixation (via PHPSESSID) when they are chained together. This would allow an attacker to take over an admin account or a user account.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

nortekcontrol
emerge e3 firmware
≤ 0.32-07p

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-384

Session termination after a set interval shortens the usable lifetime of a fixed session identifier, making successful exploitation of session fixation more difficult.

addresses: CWE-384

Re-authentication typically forces issuance of a new session, limiting the window for exploitation of a previously fixed session identifier.

addresses: CWE-384

Enforces proper session ID generation and binding, preventing fixation of a known session token.

References