Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in craigk5n/webcalendar
Oct 15th 2021
Session cookie is not marked with 'Secure'
Proof of Concept
Login to demo page http://webcalendar.sourceforge.net/demo/
Open Firefox developer option -> storage -> check secure option
Note that the file controlpanel.php has been removed from the dev code (bootstrap-ui) branch. This branch will be the source of the next release (and merged into master).
Fixed in commit 980fae68d2dea16cf8170a8a17e315fc5fd26691 on branch bootstrap-ui. Will be included in next release.
Changes in commit: https://github.com/craigk5n/webcalendar/commit/980fae68d2dea16cf8170a8a17e315fc5fd26691
The fix for this is now included in the WebCalendar v1.9.0 release.