Improper storage of authorization cookie on HTTPs pages in pufferpanel/pufferpanel

Valid

Reported on

Jun 25th 2022


The authorization cookie used by the panel (puffer_auth) is stored in the browser without using HttpOnly or Secure flags on the cookie.

Impact

Malicious JavaScript is able to access the cookie value.

Occurrences

We are processing your report and will contact the pufferpanel team within 24 hours. a month ago
We have contacted a member of the pufferpanel team and are waiting to hear back a month ago
We have sent a follow up to the pufferpanel team. We will try again in 7 days. a month ago
Joshua Taylor validated this vulnerability a month ago
Dane Everitt has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Joshua Taylor confirmed that a fix has been merged on 248336 a month ago
Joshua Taylor has been awarded the fix bounty
index.js#L25 has been validated
to join this conversation