Sensitive Cookie Without 'HttpOnly' Flag in craigk5n/webcalendar


Reported on

Oct 15th 2021

✍️ Description
HTTPOnly attribute is not set for session cookies in the application
💥 Impact
When a cookie doesn’t have an HttpOnly flag, it can be accessed through JavaScript, which means that an XSS could lead to cookies being stolen. These include session cookies that can make it easier to achieve account/session takeover.

Session cookie is not marked with 'HTTPOnly'

Proof of Concept

Login to demo page

Open Firefox developer option -> storage -> check secure option
We have contacted a member of the craigk5n/webcalendar team and are waiting to hear back 2 years ago
Craig Knudsen
2 years ago


Resolved with commit b6c99341a539a44b051064d579459c18661e8be9 in branch bootstrap-ui and will be included in next release.

Craig Knudsen validated this vulnerability 2 years ago
0xad3l has been awarded the disclosure bounty
The fix bounty is now up for grabs
Craig Knudsen
a year ago


The fix for this is now included in the WebCalendar v1.9.0 release.

Craig Knudsen marked this as fixed in v1.9.0 with commit b6c993 a year ago
Craig Knudsen has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation