Sensitive Cookie Without 'HttpOnly' Flag in glpi-project/glpi

Valid

Reported on

Aug 5th 2021


✍️ Description

According to [1] we have : HttpOnly is an additional flag included in a Set-Cookie HTTP response header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie

💥 Impact

This vulnerability is capable of take control of user's account.

[1] https://owasp.org/www-community/HttpOnly [2] https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies 📍 Location index.php#L1

Z-Old
2 years ago

Admin


Hey amammad, I've contacted the repo's maintainers for you.

We have contacted a member of the glpi-project/glpi team and are waiting to hear back 2 years ago
glpi-project/glpi maintainer
2 years ago

Maintainer


I just created a Github security advisory for this report. https://github.com/glpi-project/glpi/security/advisories/GHSA-hwxq-4c5f-m4v2

glpi-project/glpi maintainer validated this vulnerability 2 years ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
amammad modified the report
2 years ago
Jamie Slome
2 years ago

Admin


@amammad - I have changed the CWE to the requested 1004, and have updated the bounties as expected for the CWE type.

François Legastelois marked this as fixed in 9.5.6 with commit 7e1208 a year ago
François Legastelois has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation