SICK Field Analytics and Media Server HttpOnly Cookie Vulnerability

A vulnerability exists in SICK Field Analytics and SICK Media Server due to the session cookie's HttpOnly flag being set to false. This misconfiguration allows client-side scripts to access the cookie, increasing the risk of Cross-Site Scripting (XSS) attacks that target stored cookies. The issue is present in SICK Media Server versions through 1.4 and in all versions of SICK Field Analytics.

Impact

Exploitation of this vulnerability could lead to Cross-Site Scripting attacks, where an attacker could access and manipulate cookies through client-side scripts.

Remediation

Users of SICK Media Server are strongly recommended to upgrade to version 1.5 or later. For SICK Field Analytics, ensure that only trusted entities have access to the device and apply general security measures to operate the product in a protected IT environment.