Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in kevinpapst/kimai2

Valid

Reported on

Oct 6th 2021

Description

Session cookie dancer.session is not marked with 'Secure'

Proof of Concept

Login to demo page  https://demo-stable.kimai.org/en/dashboard/,  

Open Firefox developer option  -> storage -> check secure option

We have contacted a member of the kevinpapst/kimai2 team and are waiting to hear back a year ago

Kevin Papst validated this vulnerability a year ago

Asura-N has been awarded the disclosure bounty

The fix bounty is now up for grabs

Kevin Papst marked this as fixed with commit 84e258 a year ago

Kevin Papst has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation