Cookie without Secure attribute in usememos/memos
Valid
Reported on
Dec 21st 2022
Description
At the moment, memos_session has the value false at secure flag.
Proof of Concept
Access to web demo https://demo.usememos.com/
Use browser's dev tool to check the cookie, we can see there is a memos_session having value false at Secure.
Impact
User's cookies can be sent to the server with an unencrypted request over the HTTP protocol. This is not secure.
We are processing your report and will contact the
usememos/memos
team within 24 hours.
19 days ago
We have contacted a member of the
usememos/memos
team and are waiting to hear back
18 days ago
The researcher's credibility has increased: +7
to join this conversation