Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in blair2004/nexopos-4x

Valid

Reported on

Sep 29th 2021


Description

Session cookie nexopos_session is not marked as Secure

Proof of Concept

  1. Open demo page https://v4.nexopos.com/sign-in using firefox; login using demo account
  2. Go to Developer tool -> Storage -> Cookie and see that nexopos_session has Secure = False
Z-Old
2 years ago

Hey ktg9, I've emailed the maintainers for you.

We have contacted a member of the blair2004/nexopos-4x team and are waiting to hear back 2 years ago
Blair Jersyer validated this vulnerability 2 years ago
ktg9 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Blair Jersyer marked this as fixed with commit 0a75a2 2 years ago
Blair Jersyer has been awarded the fix bounty
to join this conversation