4.6
CVE-2023-3520
- EPSS 0.26%
- Veröffentlicht 06.07.2023 01:15:08
- Zuletzt bearbeitet 21.11.2024 08:17:26
- Quelle security@huntr.dev
- CVE-Watchlists
- Unerledigt
LoginSensitive Cookie in HTTPS Session Without 'Secure' Attribute in it-novum/openitcockpit
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository it-novum/openitcockpit prior to 4.6.6.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
It-novum ≫ Openitcockpit Version < 4.6.6
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.26% | 0.172 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.6 | 2.1 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
|
| security@huntr.dev | 4.3 | 2.8 | 1.4 |
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
|
CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.
https://github.com/it-novum/openitcockpit/commit/6c717f3c352e55257fc3fef2c5dec111f7d2ee6b
https://huntr.dev/bounties/f3b277bb-91db-419e-bcc4-fe0b055d2551