Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

CVE-2025-24390

Medium

6.8/10

Summary

A vulnerability in OTRS Application Server and reverse proxy settings allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.

References

Advisory Timeline

Published Jan 27, 2025

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

CVE-2025-24390

Summary

CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS