Vulnerability Details : CVE-2021-20450
IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 196640.
Products affected by CVE-2021-20450
Please log in to view affected product information.
Exploit prediction scoring system (EPSS) score for CVE-2021-20450
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 17 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-20450
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
2.8
|
1.4
|
IBM Corporation | 2024-05-03 |
CWE ids for CVE-2021-20450
-
The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
References for CVE-2021-20450
-
https://www.ibm.com/support/pages/node/7149876
Security Bulletin: IBM Controller has addressed multiple vulnerabilities
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/196640
IBM Cognos Controller information disclosure CVE-2021-20450 Vulnerability Report
Jump to