Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in kevinpapst/kimai2

Valid

Reported on

Oct 6th 2021


Description

Session cookie dancer.session is not marked with 'Secure'

Proof of Concept

Login to demo page  https://demo-stable.kimai.org/en/dashboard/,  

Open Firefox developer option  -> storage -> check secure option
We have contacted a member of the kevinpapst/kimai2 team and are waiting to hear back 2 months ago
Kevin Papst validated this vulnerability 2 months ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
Kevin Papst confirmed that a fix has been merged on 84e258 2 months ago
Kevin Papst has been awarded the fix bounty