Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in pimcore/pimcore


Reported on

Jul 19th 2022


The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session

Proof of Concept

Created:"Tue, 19 Jul 2022 13:15:32 GMT"
Expires / Max-Age:"Session"
Last Accessed:"Tue, 19 Jul 2022 13:15:36 GMT"

Proof of Concept (Link):


If possible, you should set the Secure flag for these cookies.


When a cookie is set with the Secure flag, it instructs the browser that the cookie can only be accessed over secure SSL/TLS channels. This is an important security protection for session cookies. The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.

We are processing your report and will contact the pimcore team within 24 hours. a year ago
We have contacted a member of the pimcore team and are waiting to hear back a year ago
pimcore/pimcore maintainer
a year ago


This is actually only for the as Pimcore uses Symfony's auto-secure feature, which seems to not work properly behind the reverse proxy. See also:

Bernhard Rusch
a year ago


Obviously it seems it's not the default value - created a fix for that.

Bernhard Rusch validated this vulnerability a year ago
7h3h4ckv157 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Bernhard Rusch marked this as fixed in 10.5.0 with commit e06875 a year ago
Bernhard Rusch has been awarded the fix bounty
This vulnerability will not receive a CVE
a year ago


Yeah, Ticket closed from my side too.

Thank you

to join this conversation