Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in netdisco/netdisco


Reported on

Sep 27th 2021


Session cookie dancer.session is not marked with 'Secure'

Proof of Concept

  1. Go to demo page, the page will automatically logs in as guest
  2. Open Firefox developer and see that the cookie dancer.session is not marked with 'Secure'
We created a GitHub Issue asking the maintainers to create a a year ago
We have contacted a member of the netdisco team and are waiting to hear back a year ago
netdisco/netdisco maintainer
a year ago


Hello! Thank you for this alert! We have amended the site configuration to use cookies marked for secure sessions only:

netdisco/netdisco maintainer validated this vulnerability a year ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
netdisco/netdisco maintainer confirmed that a fix has been merged on 0cef3b a year ago
The fix bounty has been dropped
to join this conversation