CVE-2025-27223
HIGHDescription
TRUfusion Enterprise through 7.10.4.0 exposes the encrypted COOKIEID as an authentication mechanism for some endpoints such as /trufusionPortal/getProjectList. However, the application uses a static key to create the encrypted cookie, ultimately allowing anyone to forge cookies and gain access to sensitive internal information.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| rocketsoftware | trufusion_enterprise |
References
Frequently Asked Questions
What is CVE-2025-27223? +
How severe is CVE-2025-27223? +
What products are affected by CVE-2025-27223? +
How do I check if I'm vulnerable to CVE-2025-27223? +
Related Vulnerabilities
This vulnerability exists in Digisol DG-GR6821AC Router due to misconfiguration of both Secure and HttpOnly flags on session cookies associated …
This vulnerability exists in the CP Plus Router due to insecure handling of cookie flags used within its web interface. …
An issue was discovered in Znuny through 7.1.3. A cookie is set without the HttpOnly flag.
Budibase is an open-source low-code platform. Prior to version 3.35.10, the budibase:auth cookie containing the JWT session token is set …
This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing HTTPOnly flag for the session cookies associated with the router's …
A stored cross-site scripting (XSS) vulnerability exists in the MyCourts v3 application within the LTA number profile field. An attacker …