Cookie without Secure attribute in pyload/pyload
Valid
Reported on
Jan 3rd 2023
Description
The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.
Proof of Concept
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 107
Vary: Accept-Encoding
Set-Cookie: pyload_session=28d0985f-aea1-490b-9954-866be697d8ad; Expires=Fri, 03 Feb 2023 05:47:17 GMT; HttpOnly; Path=/; SameSite=Lax
Connection: close
Date: Tue, 03 Jan 2023 05:47:17 GMT
Server: Cheroot/8.6.0
Impact
User's cookies can be sent to the server with an unencrypted request over the HTTP protocol. This is not secure.
We are processing your report and will contact the
pyload
team within 24 hours.
7 days ago
We have contacted a member of the
pyload
team and are waiting to hear back
6 days ago
The researcher's credibility has increased: +7
The fix bounty has been dropped
This vulnerability has been assigned a CVE
to join this conversation