CVE-2025-27223

High CVSS: 7.5

TRUfusion Enterprise through 7.10.4.0 exposes the encrypted COOKIEID as an authentication mechanism for some endpoints such as /trufusionPortal/getProjectList. However, the application uses a static key to create the encrypted cookie, ultimately allowing anyone to forge cookies and gain access to sensitive internal information.

Vendor

Rocketsoftware

Product

Trufusion Enterprise

CWE

CWE-1004

Yayın Tarihi

2025-10-27 17:15:37

Güncelleme

2025-10-31 20:35:08

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-1004 Trufusion Enterprise HIGH Rocketsoftware 2025

Referanslar

https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-27223.txt https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth-vulnerabilities-in-trufusion-enterprise/ https://www.rocketsoftware.com/products/rocket-b2b-supply-chain-integration/rocket-trufusion-enterprise

Benzer Kayıtlar

High

CVE-2025-32355

Rocket TRUfusion Enterprise through 7.10.4.0 uses a reverse proxy to handle incoming connections. However, the proxy is…

Critical

CVE-2025-59793

Rocket TRUfusion Enterprise through 7.10.5 exposes the endpoint at /axis2/services/WsPortalV6UpDwAxis2Impl to authentica…

Critical

CVE-2025-27224

TRUfusion Enterprise through 7.10.4.0 uses the /trufusionPortal/fileupload endpoint to upload files. However, the applic…

High

CVE-2025-27225

TRUfusion Enterprise through 7.10.4.0 exposes the /trufusionPortal/jsp/internal_admin_contact_login.jsp endpoint to unau…

High

CVE-2025-27222

TRUfusion Enterprise through 7.10.4.0 uses the /trufusionPortal/getCobrandingData endpoint to retrieve files. However, t…

High

CVE-2024-45955

Rocket Software Rocket Zena 4.4.1.26 is vulnerable to SQL Injection via the filter parameter.