Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in publify/publify


Reported on

Oct 8th 2021


Session cookie _publify_blog_session  is not marked with 'Secure'

Proof of Concept 

Login to demo page

Open Firefox developer option  -> storage -> check secure option

Below link shows POC

We created a GitHub Issue asking the maintainers to create a 2 months ago
2 months ago


any updates on this

2 months ago


Better reference perhaps:

Matijs van Zuijlen validated this vulnerability 2 months ago
@0xAmal has been awarded the disclosure bounty
The fix bounty is now up for grabs
2 months ago
Matijs van Zuijlen confirmed that a fix has been merged on 4f7097 2 months ago
Matijs van Zuijlen has been awarded the fix bounty