Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in craigk5n/webcalendar


Reported on

Oct 15th 2021


Session cookie is not marked with 'Secure'

Proof of Concept

Login to demo page

Open Firefox developer option -> storage -> check secure option

We have contacted a member of the craigk5n/webcalendar team and are waiting to hear back 7 months ago
@0xAmal modified the report
7 months ago
Craig Knudsen
7 months ago


Note that the file controlpanel.php has been removed from the dev code (bootstrap-ui) branch. This branch will be the source of the next release (and merged into master).

Craig Knudsen
7 months ago


Fixed in commit 980fae68d2dea16cf8170a8a17e315fc5fd26691 on branch bootstrap-ui. Will be included in next release.

Changes in commit:

Craig Knudsen validated this vulnerability 7 months ago
@0xAmal has been awarded the disclosure bounty
The fix bounty is now up for grabs
Craig Knudsen
3 months ago


The fix for this is now included in the WebCalendar v1.9.0 release.

Craig Knudsen confirmed that a fix has been merged on 980fae 3 months ago
Craig Knudsen has been awarded the fix bounty
to join this conversation