CVE-2023-4654 : Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repositor

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository instantsoft/icms2 prior to 2.16.1.

Published 2023-08-31 01:15:11

Updated 2023-09-01 14:48:51

Source huntr.dev

View at NVD, CVE.org

Products affected by CVE-2023-4654

Instantcms » Instantcms
Versions before (<) 2.16.1
cpe:2.3:a:instantcms:instantcms:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.04%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 9 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
2.6	LOW	CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N	1.2	1.4	huntr.dev
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: Low Integrity: None Availability: None
3.5	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N	2.1	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.

Assigned by: security@huntr.dev (Primary)

https://huntr.dev/bounties/56432a75-af43-4b1a-9307-bd8de568351b

huntr: Page not found
Exploit;Patch;Third Party Advisory
https://github.com/instantsoft/icms2/commit/ca5f150da11d9caae86638885137afe35bcc3592

Add session regenerate after login & logout. Secure cookie if HTTPS. · instantsoft/icms2@ca5f150 · GitHub
Patch

CVEs referencing this url

Jump to