TRUfusion Enterprise through 7.10.4.0 exposes the encrypted COOKIEID as an authentication mechanism for some endpoints such as /trufusionPortal/getPro

APPLICATION

28-10-2025 16:27

CVE-2025-27223 Vulnerabilidad documentada

Sin puntuación

Tags

#list

#form

#application

#/cookie(.*)information(.*)|(.*)free(.*)wp(.*)gdpr(.*)consent(.*)plugin/iU

#cookie information | free wp gdpr consent plugin

#allow

#access

Descripción

TRUfusion Enterprise through 7.10.4.0 exposes the encrypted COOKIEID as an authentication mechanism for some endpoints such /trufusionPortal/getProjectList. However, application uses a static key to create cookie, ultimately allowing anyone forge cookies and gain access sensitive internal information.

https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-27223.txt

https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth-vulnerabilities-in-trufusion-enterprise/

https://www.rocketsoftware.com/products/rocket-b2b-supply-chain-integration/rocket-trufusion-enterprise

Referencia

CVE-2025-27223

Link externo

Ver detalles

Fuente

https://nvd.nist.gov/vuln/detail/CVE-2025-27223

Resultados similares

Coincidentes en almenos en 50% de los tags

28-10-2025 CVE-2025-34317
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vu...
Ver información

28-10-2025 CVE-2025-34316
IPFire versions prior to 2.29 (Core Update 198) contain a stored cross-site scripting (XSS) vu...
Ver información