Skip to main content

Incorrect Permission Assignment for Critical Resource


Severity High
Score 7.5/10


An information disclosure vulnerability exists in the cookie functionality of WWBN AVideo in versions prior to 12.4. The session cookie and the pass cookie miss the "HttpOnly" flag, making them accessible via JavaScript. The session cookie also misses the secure flag, which allows the session cookie to be leaked over non-HTTPS connections. This could allow an attacker to steal the session cookie via crafted HTTP requests. This vulnerability is for the session cookie which can be leaked via JavaScript.

  • LOW
  • NONE
  • NONE
  • NONE
  • HIGH
  • NONE

CWE-732 - Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

Advisory Timeline

  • Published