Cookie without Secure attribute in pyload/pyload

Valid

Reported on

Jan 3rd 2023


Description

The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.

Proof of Concept

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 107
Vary: Accept-Encoding
Set-Cookie: pyload_session=28d0985f-aea1-490b-9954-866be697d8ad; Expires=Fri, 03 Feb 2023 05:47:17 GMT; HttpOnly; Path=/; SameSite=Lax
Connection: close
Date: Tue, 03 Jan 2023 05:47:17 GMT
Server: Cheroot/8.6.0

Impact

User's cookies can be sent to the server with an unencrypted request over the HTTP protocol. This is not secure.

We are processing your report and will contact the pyload team within 24 hours. 7 days ago
bAu submitted a
7 days ago
We have contacted a member of the pyload team and are waiting to hear back 6 days ago
pyload/pyload maintainer validated this vulnerability 5 days ago
bAu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
pyload/pyload maintainer marked this as fixed in 0.5.0b3.dev32 with commit 7b53b8 5 days ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
pyload/pyload maintainer published this vulnerability 5 days ago
to join this conversation