Session_id without Secure attribute in ikus060/rdiffweb
Valid
Reported on
Sep 9th 2022
Description
User's session id with secure attribute is false. This vulnerability makes user's cookies can be sent to the server with an unencrypted request over the HTTP protocol.
Proof of Concept
Open the browser and access to the website, in this scenario I use the demo website. Check the cookie in browser's dev tool and realize that the cookie with Secure attribute is false.
Impact
This vulnerability makes user's cookies can be sent to the server with an unencrypted request over the HTTP protocol.
We are processing your report and will contact the
ikus060/rdiffweb
team within 24 hours.
8 months ago
Chuu modified the report
8 months ago
The researcher's credibility has increased: +7
@uonghoangminhchau Could you or anyone else create a CVE report ?
All sorted 👍 Once this report is marked as fixed (i.e. resolved), a CVE will automatically publish for this report with the CVE ID (CVE-2022-3174).
We have sent a
fix follow up to the
ikus060/rdiffweb
team.
We will try again in 7 days.
8 months ago
to join this conversation