Lucene search

GoogleOSV:BIT-ESPOCRM-2022-38846

HistoryMar 06, 2024 - 10:52 a.m.

BIT-espocrm-2022-38846

2024-03-0610:52:14

Google

osv.dev

espocrm

version 7.1.8

missing secure flag

browser

plain text cookies

insecure channel

http

mitm attack

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

7 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

51.1%

JSON

EspoCRM version 7.1.8 is vulnerable to Missing Secure Flag allowing the browser to send plain text cookies over an insecure channel (HTTP). An attacker may capture the cookie from the insecure channel using MITM attack.

CPENameOperatorVersion
espocrmle7.1.8
espocrmge7.1.8

CPE	Name	Operator	Version
	espocrm	le	7.1.8
	espocrm	ge	7.1.8

References

medium.com/cybersecurity-valuelabs/espocrm-7-1-8-is-vulnerable-to-missing-secure-flag-1664bac5ffe4

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

7 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

51.1%

JSON

Related for OSV:BIT-ESPOCRM-2022-38846