Cookie without Secure flag in instantsoft/icms2

Valid

Reported on

Aug 14th 2023

Description

There is a ICMS62EC2566CC4B5 cookie without Secure flag and this is authentication cookie.

Proof of Concept

Link photo PoC: https://drive.google.com/file/d/1uWsRKMT-KyuRPA01Ra1W3YphQgNmMkuu/view?usp=sharing

Impact

If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope.

An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site.

Occurrences

user.php L571

Set it true.

We are processing your report and will contact the instantsoft/icms2 team within 24 hours. a month ago

Chuu submitted a

patch

a month ago

We have contacted a member of the instantsoft/icms2 team and are waiting to hear back a month ago

A instantsoft/icms2 maintainer modified the Severity from Medium (4.3) to Low (2.6) a month ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

A instantsoft/icms2 maintainer validated this vulnerability a month ago

Thank you for your interest in the project. It is not possible to just install in true, because InstantCMS can be installed inside the network, consciously without https protocol. We will fix it differently, more universally.

Chuu has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A instantsoft/icms2 maintainer gave praise a month ago

Thank you

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Fuze marked this as fixed in 2.16.1 with commit ca5f15 a month ago

Fuze has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Aug 31st 2023

user.php#L571 has been validated

Chuu

commented a month ago

Researcher

thank you too

Fuze published this vulnerability 22 days ago

to join this conversation