In artax version before 1.0.6 and 2 before 2.0.6, cookies of foo.bar.example.com
were leaked to foo.bar
. Additionally, any site could set cookies for any other site.
Artax fixed this issue by following newer browser implementations now. Cookies can only be set on domains higher or equal to the current domain, but not on any public suffixes.
github.com/advisories/GHSA-gm98-g2wf-7c68
github.com/amphp/artax
github.com/amphp/artax/commit/25668b891d2bced567bd69611c7d18b6a93d5fc4
github.com/amphp/artax/commit/accdadaf78f7a43305c3a97d6a964bbc550a555d
github.com/amphp/artax/releases/tag/v2.0.6
github.com/FriendsOfPHP/security-advisories/blob/master/amphp/artax/2017-05-09.yaml