Cookie without Secure attribute in usememos/memos
Reported on
Dec 21st 2022
Description
At the moment, memos_session has the value false at secure flag.
Proof of Concept
Access to web demo https://demo.usememos.com/
Use browser's dev tool to check the cookie, we can see there is a memos_session having value false at Secure.
Impact
User's cookies can be sent to the server with an unencrypted request over the HTTP protocol. This is not secure.
SECURITY.md
exists
a year ago