Sensitive Cookie Without 'HttpOnly' Flag in glpi-project/glpi
Aug 5th 2021
According to  we have :
HttpOnly is an additional flag included in a Set-Cookie HTTP response header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie
This vulnerability is capable of take control of user's account.
 https://owasp.org/www-community/HttpOnly  https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies 📍 Location index.php#L1
Hey amammad, I've contacted the repo's maintainers for you.
I just created a Github security advisory for this report. https://github.com/glpi-project/glpi/security/advisories/GHSA-hwxq-4c5f-m4v2
@amammad - I have changed the CWE to the requested 1004, and have updated the bounties as expected for the CWE type.