Sensitive Cookie Without HttpOnly Flag in it-novum/openitcockpit


Reported on

Jun 14th 2023


Access and login to the demo website:

Press F12 on your keyboard or right-click on the website to open dev-tool.

At Application tab, choose Cookies and there is CookieAuth (sensitive cookie) without HttpOnly flag.

Proof of Concept

Link image evidence:


If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties.

If the cookie is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data and assume the identity of the user.

We are processing your report and will contact the it-novum/openitcockpit team within 24 hours. 3 months ago
Chuu modified the report
3 months ago
We have contacted a member of the it-novum/openitcockpit team and are waiting to hear back 3 months ago
it-novum/openitcockpit maintainer validated this vulnerability 3 months ago

Hi Chuu, many thanks for contacting us. Sorry for my late response. I have only noticed today that you have created to separate reports for Security-Flag and HttpOnly Flag, my bad.

Chuu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
it-novum/openitcockpit maintainer marked this as fixed in c4.6.7 with commit 6c717f 3 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Jul 6th 2023
3 months ago


Hi, thank you too.

it-novum/openitcockpit maintainer published this vulnerability 3 months ago
to join this conversation