7.5
CVE-2022-3251
- EPSS 0.49%
- Veröffentlicht 21.09.2022 17:15:09
- Zuletzt bearbeitet 21.11.2024 07:19:08
- Quelle security@huntr.dev
- CVE-Watchlists
- Unerledigt
LoginSensitive Cookie in HTTPS Session Without 'Secure' Attribute in ikus060/minarca
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/minarca prior to 4.2.2.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.49% | 0.384 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
| security@huntr.dev | 7.5 | 1.6 | 5.9 |
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-311 Missing Encryption of Sensitive Data
The product does not encrypt sensitive or critical information before storage or transmission.
CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.
https://github.com/ikus060/minarca/commit/7b5c7e6cbd59268d5cd4f1b5f42e721db116f71a
https://huntr.dev/bounties/b9a1b411-060b-4235-9426-e39bd0a1d6d9