Mozilla Firefox Security Advisories (MFSA2018-02, MFSA2018-03) - Mac OS X

Mozilla Firefox is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:mozilla:firefox";...

Session Hijacking Through Lack Of HTTPOnly Flag

spree is vulnerable to session hijacking attacks. The vulnerability exists due to the lack of HttpOnly flag in the HTTP headers...

CVE-2015-2156

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name a...

CVE-2015-2156

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name a...

CVE-2015-2156

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name a...

CVE-2015-5183

Console: HTTPOnly and Secure attributes not set on cookies in Red Hat AMQ...

CVE-2015-5183

CVE-2015-5183 affects Red Hat AMQ/Hawtio console where cookies are missing HTTPOnly and Secure attributes. This exposes session cookies and could enable session-reuse or related unauthorized access in affected deployments. Public mentions and Red Hat advisories confirm the issue as a cookie secur...

Design/Logic Flaw

Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies...

CVE-2014-9635

Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies...

CVE-2014-9635

CVE-2014-9635 affects Jenkins before 1.586. The issue is that the application does not set the HttpOnly flag in Set-Cookie headers for session cookies when run on Tomcat 7.0.41+; this can allow remote attackers to access cookies via scripts and potentially obtain sensitive information. The cited ...

Cross-Site Scripting (XSS)

anchorcms/anchor-cms is vulnerable to cross-site scripting XSS attacks. The attacks exists because write function in system/cookie.php does not enforce the HttpOnly header when creating cookies...

Design/Logic Flaw

The Comcast firmware on Cisco DPC3939 firmware version dpc3939-P20-18-v303r20421733-160420a-CMCST; Cisco DPC3939 firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST; Cisco DPC3939B firmware version dpc3939b-v303r204217-150321a-CMCST; Cisco DPC3941T firmware version DPC39412.5s3PRODsey; an...

CVE-2017-9492

The Comcast firmware on Cisco DPC3939 firmware version dpc3939-P20-18-v303r20421733-160420a-CMCST; Cisco DPC3939 firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST; Cisco DPC3939B firmware version dpc3939b-v303r204217-150321a-CMCST; Cisco DPC3941T firmware version DPC39412.5s3PRODsey; an...

CVE-2017-9492

The Comcast firmware on Cisco DPC3939 firmware version dpc3939-P20-18-v303r20421733-160420a-CMCST; Cisco DPC3939 firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST; Cisco DPC3939B firmware version dpc3939b-v303r204217-150321a-CMCST; Cisco DPC3941T firmware version DPC39412.5s3PRODsey; an...

CVE-2017-9492

The CVE-2017-9492 issue affects Comcast firmware on Cisco DPC3939 (several builds), Cisco DPC3939B, Cisco DPC3941T, and Arris TG1682G devices, where the Set-Cookie header in administration applications omits the HTTPOnly flag. This omissions enables script access to cookies, potentially exposing ...

WakaTime: Sensitive Cookie Without 'HttpOnly' Flag

hello wakatime security team i found security vulnerability:Sensitive Cookie Without 'HttpOnly' Flag when i was testing your website then i notice that there is some csrftoken cookie appare in responce but the cookie have not httponly flag.you must should set httponly flag for some following...

Microsoft Dynamic CRM 2016 Cross Site Scripting

Product: MS Dynamic CRM 2016 Vendor: Microsoft Vulnerability type: Cross Site Scripting Vulnerable version: MS Dynamic CRM 2016 SP1 and previous Vulnerable component: SyncFilterPage.aspx Report confidence: Confirmed Solution status: Not fixed by Vendor, will not patch the vuln. Fixed versions: -...

Stellar.org: Session Cookie without HttpOnly and secure flag set

vulnerable URL: www.stellar.org The PHPSESSID cookie does not have the HTTPOnly flag set. When a cookie is set with the HTTPOnly flag, it instructs the browser that the cookie can only accessed by the server and not by client-side scripts. This is an important security protection for session...

Weblate: HttpOnly Flag not set

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this application then the cookie will be accessible and can be transmitted to another site. HTTP/1.1 200 OK Server: nginx Date: Wed, 26 Apr 2017 08:27:17...

WordPress: plugins.trac.wordpress.org likely vulnerable to Cross Site Tracing (xst), TRACE HTTP method should be disabled

Background A Cross-Site Tracing XST attack involves the use of Cross-site Scripting XSS and the TRACE HTTP method. According to RFC 2616, "TRACE allows the client to see what is being received at the other end of the request chain and use that data for testing or diagnostic information." XST coul...