Sensitive Cookie Without 'HttpOnly' Flag
CVE-2023-28472
Summary
Concrete CMS (previously concrete5) in versions prior to 9.2.0RC2 does not have Secure and HTTP-only attributes set for "ccmPoll" cookies.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- LOW
- NONE
CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag
The software uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
References
Advisory Timeline
- Published