Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492 is vulnerable to Session Fixation. The 'sid' parameter in the group_status.asp resource allows an attacker to escalate privileges and obtain sensitive information.
The vulnerability results from improper handling of the session identifier ('sid') in the group_status.asp resource. An attacker can provide a predetermined session identifier to the victim, and after authentication, take control of that session. The Session Fixation mechanism works by the application failing to regenerate the session identifier after user login, allowing the attacker to use a session with known parameters.
An attacker can hijack a logged-in user's session, leading to privilege escalation and unauthorized access to sensitive information processed by the system.
Patches available from the manufacturer should be applied according to references. Additionally, it is recommended to restrict access to the SSA web interface only to trusted networks and implement an additional authentication layer.
Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HFranklin Electric System Sentinel Anyware
APPFranklin-Electric1.6.24.492