CVEFinder.io

CVE-2025-70973

🔶 medium
🔍 Scan for this CVE
Summary

ScadaBR 1.12.4 is vulnerable to Session Fixation. The application assigns a JSESSIONID session cookie to unauthenticated users and does not regenerate the session identifier after successful authentication. As a result, a session created prior to login becomes authenticated once the victim logs in, allowing an attacker who knows the session ID to hijack an authenticated session.

CVSS Score
4.8
Medium
EPSS Score
0.1
Exploit Probability
Published Date
2026-03-09
First Seen: 2026-03-10
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 13.8% of all 326,604 vulnerabilities in our database.

#281,479
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: Mar 10, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Partial
Limited system impact
SSVC data provided by CISA
Last Modified 2026-04-07
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE IDs (Weakness Types)
CWE-384

📦 Affected Products 1

Vendor Product Status Affected Versions
scadabr scadabr Affected
v1.12.4

🔗 References 1

https://github.com/chiranjib2001/ScadaBR/blob/main/R...
Exploit Mailing List Third Party Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-8602 ⛔ critical 9.1 0.1 In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated at... 2026-05-19
CVE-2026-8603 ⛔ critical 9.8 0.4 In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on t... 2026-05-19
CVE-2026-8604 ⚠️ high 8.8 0.0 In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigger any authenticated action through a vic... 2026-05-19
CVE-2026-8605 ⛔ critical 9.8 0.1 In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA syst... 2026-05-19
CVE-2021-26828 ⚠️ high 8.8 78.6 OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and exe... 2021-06-11
CVE-2021-26829 🔶 medium 5.4 13.6 OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows stored XSS via system_settings.shtm. 2021-06-11
These CVEs affect the same products