4.3
CVE-2018-1804
- EPSS 0.14%
- Veröffentlicht 13.12.2018 16:29:00
- Zuletzt bearbeitet 21.11.2024 04:00:24
- Quelle psirt@us.ibm.com
- CVE-Watchlists
- Unerledigt
LoginIBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4.0, and 9.0.5.0 does not set the secure attribute on authorization tokens or session cookies. This could allow an attacker to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 149703.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Ibm ≫ Security Access Manager Version >= 9.0.1.0 <= 9.0.5.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.14% | 0.305 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 3.7 | 2.2 | 1.4 |
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:P/I:N/A:N
|
| psirt@us.ibm.com | 3.7 | 2.2 | 1.4 |
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
|
CWE-384 Session Fixation
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.