Lucene search

K
nvd[email protected]NVD:CVE-2024-2756
HistoryApr 29, 2024 - 4:15 a.m.

CVE-2024-2756

2024-04-2904:15:07
CWE-20
web.nvd.nist.gov
14
incomplete fix
insecure cookies
php applications
github advisory

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

AI Score

7.9

Confidence

High

EPSS

0.006

Percentile

79.3%

Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim’s browser which is treated as a __Host-Β or __Secure-Β cookie by PHP applications.

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

AI Score

7.9

Confidence

High

EPSS

0.006

Percentile

79.3%