Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in tsolucio/corebos

Valid

Reported on

Oct 18th 2021


Description

Session cookie is not marked with 'Secure'

Proof of Concept

Login to demo page http://demo.corebos.com/index.php?action=index&module=Home

Open Firefox developer option -> storage -> check secure option
We have contacted a member of the tsolucio/corebos team and are waiting to hear back 10 months ago
We have sent a second follow up to the tsolucio/corebos team. We will try again in 10 days. 9 months ago
We have sent a third and final follow up to the tsolucio/corebos team. This report is now considered stale. 9 months ago
Joe Bordes validated this vulnerability a month ago
@0xAmal has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Joe Bordes confirmed that a fix has been merged on f0ef11 a month ago
Joe Bordes has been awarded the fix bounty
to join this conversation