Sensitive Cookie Without 'HttpOnly' Flag in craigk5n/webcalendar

Valid

Reported on

Oct 15th 2021


✍️ Description
HTTPOnly attribute is not set for session cookies in the application
💥 Impact
When a cookie doesn’t have an HttpOnly flag, it can be accessed through JavaScript, which means that an XSS could lead to cookies being stolen. These include session cookies that can make it easier to achieve account/session takeover.

Session cookie is not marked with 'HTTPOnly'

Proof of Concept

Login to demo page http://webcalendar.sourceforge.net/demo/

Open Firefox developer option -> storage -> check secure option
We have contacted a member of the craigk5n/webcalendar team and are waiting to hear back 7 months ago
Craig Knudsen
7 months ago

Maintainer


Resolved with commit b6c99341a539a44b051064d579459c18661e8be9 in branch bootstrap-ui and will be included in next release.

https://github.com/craigk5n/webcalendar/commit/b6c99341a539a44b051064d579459c18661e8be9

Craig Knudsen validated this vulnerability 7 months ago
0xad3l has been awarded the disclosure bounty
The fix bounty is now up for grabs
Craig Knudsen
3 months ago

Maintainer


The fix for this is now included in the WebCalendar v1.9.0 release.

Craig Knudsen confirmed that a fix has been merged on b6c993 3 months ago
Craig Knudsen has been awarded the fix bounty
to join this conversation