Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in craigk5n/webcalendar

Valid

Reported on

Oct 15th 2021


Description

Session cookie is not marked with 'Secure'

Proof of Concept

Login to demo page http://webcalendar.sourceforge.net/demo/

Open Firefox developer option -> storage -> check secure option

We have contacted a member of the craigk5n/webcalendar team and are waiting to hear back 7 months ago
@0xAmal modified the report
7 months ago
Craig Knudsen
7 months ago

Maintainer


Note that the file controlpanel.php has been removed from the dev code (bootstrap-ui) branch. This branch will be the source of the next release (and merged into master).

https://github.com/craigk5n/webcalendar/tree/bootstrap-ui

Craig Knudsen
7 months ago

Maintainer


Fixed in commit 980fae68d2dea16cf8170a8a17e315fc5fd26691 on branch bootstrap-ui. Will be included in next release.

Changes in commit: https://github.com/craigk5n/webcalendar/commit/980fae68d2dea16cf8170a8a17e315fc5fd26691

Craig Knudsen validated this vulnerability 7 months ago
@0xAmal has been awarded the disclosure bounty
The fix bounty is now up for grabs
Craig Knudsen
3 months ago

Maintainer


The fix for this is now included in the WebCalendar v1.9.0 release.

Craig Knudsen confirmed that a fix has been merged on 980fae 3 months ago
Craig Knudsen has been awarded the fix bounty
to join this conversation