Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in publify/publify


Reported on

Oct 8th 2021


Session cookie _publify_blog_session  is not marked with 'Secure'

Proof of Concept 

Login to demo page

Open Firefox developer option  -> storage -> check secure option

Below link shows POC

We created a GitHub Issue asking the maintainers to create a a year ago
a year ago


any updates on this

a year ago


Better reference perhaps:

Matijs van Zuijlen validated this vulnerability a year ago
@0xAmal has been awarded the disclosure bounty
The fix bounty is now up for grabs
a year ago
Matijs van Zuijlen marked this as fixed with commit 4f7097 a year ago
Matijs van Zuijlen has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation