CVE-2016-9848

An issue was discovered in phpMyAdmin. phpinfo phpinfo.php shows PHP information including values of HttpOnly cookies. All 4.6.x versions prior to 4.6.5, 4.4.x versions prior to 4.4.15.9, and 4.0.x versions prior to 4.0.10.18 are affected...

CVE-2016-9848

CVE-2016-9848 affects phpMyAdmin: the phpinfo() output reveals PHP info including the values of HttpOnly cookies. Affected versions are all 4.6.x before 4.6.5, all 4.4.x before 4.4.15.9, and all 4.0.x before 4.0.10.18. The issue is due to exposure of cookie values in phpinfo output. Mitigation: u...

CVE-2016-9848

An issue was discovered in phpMyAdmin. phpinfo phpinfo.php shows PHP information including values of HttpOnly cookies. All 4.6.x versions prior to 4.6.5, 4.4.x versions prior to 4.4.15.9, and 4.0.x versions prior to 4.0.10.18 are affected...

Gratipay: Cookie HttpOnly Flag Not Set

Hello, I detected that this cookie was set without the HttpOnly flag. When this flag is not present, it is possible to access the cookie via client-side script code. The HttpOnly flag is a security measure that can help mitigate the risk of cross-site scripting attacks that target session cookies...

Updated phpmyadmin packages fix security vulnerability

In phpMyAdmin before 4.4.15.9, when the user does not specify a blowfishsecret key for encrypting cookies, phpMyAdmin generates one at runtime. A vulnerability was reported where the way this value is created using a weak algorithm. This could allow an attacker to determine the user's...

Robinhood: httponly flag not set + csrftoken in url

INFORMATION hello, i was looking into and found something interesting , i found that the httponly flag is not set which is really harmful as because httponly flag act as filter to stop client side script attacks like xss or session hijacking. so the csrftoken has no httponly flag at...

IBM Tivoli Endpoint Manager 'HTTPOnly flag' Information Disclosure Vulnerability

IBM Tivoli Endpoint Manager is prone to an information disclosure vulnerability. SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

Design/Logic Flaw

Red Hat JBoss BPM Suite 6.3.x does not include the HTTPOnly flag in a Set-Cookie header for session cookies, which makes it easier for remote attackers to obtain potentially sensitive information via script access to the cookies...

CVE-2016-6344

Red Hat JBoss BPM Suite 6.3.x does not include the HTTPOnly flag in a Set-Cookie header for session cookies, which makes it easier for remote attackers to obtain potentially sensitive information via script access to the cookies...

CVE-2016-6344

CVE-2016-6344 affects Red Hat JBoss BRMS 6 and Red Hat JBoss BPM Suite 6, where HttpOnly flags are not set on session cookies. This exposes cookies to access via client-side scripts (XSS), enabling potential information disclosure. Red Hat RHSA-2017:0248/0249 documents a security update for BRMS/...

CVE-2016-6344

Red Hat JBoss BPM Suite 6.3.x does not include the HTTPOnly flag in a Set-Cookie header for session cookies, which makes it easier for remote attackers to obtain potentially sensitive information via script access to the cookies...

CumulusClips 2.4.1 - Multiple Vulnerabilities

Exploit for php platform in category web applications Exploit Title: CumulusClips Session fixation Google Dork: inurl:/cumulusclips/videos/ Date: 2.09.2016 Exploit Author: kor3k / Łukasz Korczyk Vendor Homepage: http://cumulusclips.org/ Software Link: http://cumulusclips.org/cumulusclips.zip...

CVE-2016-6344

It was discovered that JBoss BRMS 6 and BPM Suite 6 are not setting HttpOnly flags on sensitive cookies. Remote attackers can access these cookies by using client-side scripts, usually through XSS...

HackerOne: Session hijacking attack

Hi you have Session hijacking attack https://www.owasp.org/index.php/Sessionhijackingattack Yes, you use HttpOnly cookie , but in older browsers bypass such restrictions exist , that does not prevent in theory find this in the future . As you update the site on a daily basis and it is possible to...

CVE-2016-5409

Red Hat OpenShift Enterprise 2 does not include the HTTPOnly flag in a Set-Cookie header for the GEARID cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to the cookies...

Gratipay: Cookie:HttpOnly Flag not set

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this application then the cookie will be accessible and can be transmitted to another site...

IBM WebSphere Application Server Liberty Multiple Liberty Vulnerabilities (Jul 2016)

IBM WebSphere Application Server Liberty is prone to multiple vulnerabilities SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

CVE-2016-2923

IBM WebSphere Application Server WAS 8.5 through 8.5.5.9 Liberty before Liberty Fix Pack 16.0.0.2 does not include the HTTPOnly flag in a Set-Cookie header for an unspecified JAX-RS API cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script acces...

CVE-2016-2923

IBM WebSphere Application Server WAS 8.5 through 8.5.5.9 Liberty before Liberty Fix Pack 16.0.0.2 does not include the HTTPOnly flag in a Set-Cookie header for an unspecified JAX-RS API cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script acces...

Design/Logic Flaw

IBM WebSphere Application Server WAS 8.5 through 8.5.5.9 Liberty before Liberty Fix Pack 16.0.0.2 does not include the HTTPOnly flag in a Set-Cookie header for an unspecified JAX-RS API cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script acces...