concrete5: HttpOnly flag not set for cookie on concrete5.org

2014-03-25T20:30:01
ID H1:4792
Type hackerone
Reporter tomdev
Modified 2014-04-16T11:12:07

Description

Hi,

The HttpOnly flag is not set on concrete5.org, making it easy to steal the cookie when a XSS is present on the site.

See HttpOnly on OWASP for more information.