Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

CVE-2022-25151

High

7.5/10

Summary

Within the Service Desk module of the ITarian platform (SAAS and on-premise), a remote attacker can obtain sensitive information, caused by the failure to set the HTTP Only flag. A remote attacker could exploit this vulnerability to gain access to the management interface by using this vulnerability in combination with a successful Cross-Site Scripting attack on a user.

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.

References

Advisory Timeline

Published Jun 09, 2022

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

CVE-2022-25151

Summary

CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS