Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in blair2004/nexopos-4x


Reported on

Sep 29th 2021


Session cookie nexopos_session is not marked as Secure

Proof of Concept

  1. Open demo page using firefox; login using demo account
  2. Go to Developer tool -> Storage -> Cookie and see that nexopos_session has Secure = False
a year ago


Hey ktg9, I've emailed the maintainers for you.

We have contacted a member of the blair2004/nexopos-4x team and are waiting to hear back a year ago
Blair Jersyer validated this vulnerability a year ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
Blair Jersyer confirmed that a fix has been merged on 0a75a2 a year ago
Blair Jersyer has been awarded the fix bounty
to join this conversation