Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in craigk5n/webcalendar

Valid

Reported on

Oct 15th 2021

Description

Session cookie is not marked with 'Secure'

Proof of Concept

Login to demo page http://webcalendar.sourceforge.net/demo/

Open Firefox developer option -> storage -> check secure option

We have contacted a member of the craigk5n/webcalendar team and are waiting to hear back a year ago
@0xAmal modified the report
a year ago
Craig Knudsen
a year ago

Maintainer

Note that the file controlpanel.php has been removed from the dev code (bootstrap-ui) branch. This branch will be the source of the next release (and merged into master).

https://github.com/craigk5n/webcalendar/tree/bootstrap-ui

Craig Knudsen
a year ago

Maintainer

Fixed in commit 980fae68d2dea16cf8170a8a17e315fc5fd26691 on branch bootstrap-ui. Will be included in next release.

Changes in commit: https://github.com/craigk5n/webcalendar/commit/980fae68d2dea16cf8170a8a17e315fc5fd26691

Craig Knudsen validated this vulnerability a year ago
@0xAmal has been awarded the disclosure bounty
The fix bounty is now up for grabs
Craig Knudsen
a year ago

Maintainer

The fix for this is now included in the WebCalendar v1.9.0 release.

Craig Knudsen marked this as fixed in v1.9.0 with commit 980fae a year ago
Craig Knudsen has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation