Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in tsolucio/corebos

Valid

Reported on

Oct 18th 2021

Description

Session cookie is not marked with 'Secure'

Proof of Concept

Login to demo page http://demo.corebos.com/index.php?action=index&module=Home

Open Firefox developer option -> storage -> check secure option

References

https://resources.infosecinstitute.com/topic/securing-cookies-httponly-secure-flags/

We have contacted a member of the tsolucio/corebos team and are waiting to hear back 2 years ago

We have sent a second follow up to the tsolucio/corebos team. We will try again in 10 days. 2 years ago

We have sent a third and final follow up to the tsolucio/corebos team. This report is now considered stale. 2 years ago

Joe Bordes validated this vulnerability a year ago

@0xAmal has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Joe Bordes marked this as fixed in 8.0 with commit f0ef11 a year ago

Joe Bordes has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation