We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

/

Session_id without Secure attribute in ikus060/minarca

Valid

Reported on

Sep 13th 2022

Description

User's session id with secure attribute is false. This vulnerability makes user's cookies can be sent to the server with an unencrypted request over the HTTP protocol.

Proof of Concept

Open the browser and get access to the minarca website, for this scenario I have used the demo/test website. Check the cookie in browser's dev tool and realize that the cookie with Secure attribute is false.

Impact

This vulnerability makes user's cookies can be sent to the server with an unencrypted request over the HTTP protocol.

References

Mitre reference

We are processing your report and will contact the ikus060/minarca team within 24 hours. a year ago

Patrik Dufresne validated this vulnerability a year ago

This vulnerability is valid. Was reported on Rdiffweb project.

Minarca will get fixed, whenever I upgrade Rdiffweb version embedded in Minarca.

Vanilla has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Patrik Dufresne

commented a year ago

Maintainer

Affected version should be 4.2.0

commented a year ago

Researcher

Thank you. Yes, If I could edit the affected version It is 4.2.0 for the Minarca.

We have sent a fix follow up to the ikus060/minarca team. We will try again in 7 days. a year ago

commented a year ago

Researcher

Hi @admin, can you help me with the CVE ID for this report?

commented a year ago

Admin

Sorted the affected version :)

@Patrik - would you like me to assign a CVE for this report?

Patrik Dufresne

commented a year ago

Maintainer

@admin You may create a CVE for this report. Thanks

commented a year ago

Admin

Sorted :)

commented a year ago

Researcher

Thank you.!! @patrik @jamie

Patrik Dufresne marked this as fixed in 4.2.2 with commit 7b5c7e a year ago

Patrik Dufresne has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

We are processing your report and will contact the ikus060/minarca team within 24 hours. a year ago

Patrik Dufresne validated this vulnerability a year ago

This vulnerability is valid. Was reported on Rdiffweb project.

Minarca will get fixed, whenever I upgrade Rdiffweb version embedded in Minarca.

Vanilla has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Patrik Dufresne

commented a year ago

Maintainer

Affected version should be 4.2.0

commented a year ago

Researcher

Thank you. Yes, If I could edit the affected version It is 4.2.0 for the Minarca.

We have sent a fix follow up to the ikus060/minarca team. We will try again in 7 days. a year ago

commented a year ago

Researcher

Hi @admin, can you help me with the CVE ID for this report?

commented a year ago

Admin

Sorted the affected version :)

@Patrik - would you like me to assign a CVE for this report?

Patrik Dufresne

commented a year ago

Maintainer

@admin You may create a CVE for this report. Thanks

commented a year ago

Admin

Sorted :)

commented a year ago

Researcher

Thank you.!! @patrik @jamie

Patrik Dufresne marked this as fixed in 4.2.2 with commit 7b5c7e a year ago

Patrik Dufresne has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation