Cookiescanner - Tool to Check the Cookie Flag for a Multiple Sites

Tool to do more easy the web scan proccess to check if the secure and HTTPOnly flags are enabled in the cookies path and expires too. This tools allows probe multiple urls through a input file, by a google domain looking in all subdomains or by a unique url. Also, supports multiple output like...

Celoxis 9.5 Cross Site Scripting

================================================================ Celoxis alert"XSS" Advisory Timeline -------------------- 08/10/2015 - Informed Vendor about Issue 08/10/2015 - Vendor responded 12/11/2015 - Reminded Vendor 14/11/2015 - Vendor responded saying 'they changed the framework itself to...

Shopify: Cookie securing your "Opening soon" store is not secured against XSS

PoC: 1 Protect your e-shop with a password Storefront password 2 Go to your e-shop URL and enter the password to access the store 3 There is a cookie created - name: storefrontdigest - this cookie contains the password in a secure way which protects your store 4 This cookie is not marked as...

IBM Security QRadar Incident Forensics Session Hijacking Vulnerability

IBM Security QRadar Incident Forensics is a suite of security forensic investigation software from IBM. The software supports in-depth forensic investigations of suspected malicious network security incidents, and repair network security vulnerabilities. IBM Security QRadar Incident Forensics 7.2...

CVE-2015-1994

IBM Security QRadar Incident Forensics 7.2.x before 7.2.5 Patch 5 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie...

CVE-2015-1994

IBM Security QRadar Incident Forensics 7.2.x before 7.2.5 Patch 5 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie...

CVE-2015-1994

CVE-2015-1994 concerns IBM QRadar Incident Forensics. Affects IBM QRadar Incident Forensics 7.2.x prior to 7.2.5 Patch 5 where the session cookie is missing the HTTPOnly flag, enabling potential cookie exposure via scripting and session hijacking. IBM’s security bulletin corroborates the vulnerab...

RHEL 6 : Virtualization Manager (RHSA-2015:0158)

Red Hat Enterprise Virtualization Manager 3.5.0 is now available. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System CVSS base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links...

Web Application Cookies Not Marked HttpOnly

The remote web application sets various cookies throughout a user's unauthenticated and authenticated session. However, one or more of those cookies are not marked 'HttpOnly', meaning that a malicious client-side script, such as JavaScript, could read them. The HttpOnly flag is a security mechani...

Important: Red Hat Security Advisory: Red Hat Satellite 6.1.1 on RHEL 6

Red Hat Satellite 6.1 now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having an important security impact. Common Vulnerability Scoring System CVSS base scores, which give detailed severity ratings, are available for each vulnerability from the CVE...

foreman: the _session_id cookie is issued without the Secure flag

It was found that Foreman did not set the HttpOnly flag on session cookies. This could allow a malicious script to access the session cookie...

QIWI: Session Cookie without HttpOnly and secure flag set

vulnerable URL:https://portal.int.qiwi.com/login.php The PHPSESSID cookie does not have the HTTPOnly flag set. When a cookie is set with the HTTPOnly flag, it instructs the browser that the cookie can only accessed by the server and not by client-side scripts. This is an important security...

PCS Daemon (pcsd) Cookie Signing Multiple Vulnerabilities

The remote host is affected by multiple vulnerabilities due to a failure by the PCS daemon pcsd to properly set flags in the 'Set-Cookie' header : - A security bypass vulnerability exists due to a failure to set the 'secure' flag. A remote attacker can exploit this to spoof cookies and bypass...

Multiple Blue Coat Systems SSL Visibility Appliance Product Sensitive Information Vulnerabilities

Blue Coat Systems SSL Visibility Appliance SV800 and others are SSL visibility appliances from Blue Coat Systems, USA, which are at the heart of encrypted traffic management, providing visibility into SSL traffic and supporting the addition of SSL inspection capabilities to advanced threat...

CVE-2015-4138

The WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 does not include the HTTPOnly flag in a Set-Cookie header for the administrator's cookie, which makes it easier for remote attackers to obtain potentially sensitive...

Design/Logic Flaw

The WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 does not include the HTTPOnly flag in a Set-Cookie header for the administrator's cookie, which makes it easier for remote attackers to obtain potentially sensitive...

CVE-2015-4138

The WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 does not include the HTTPOnly flag in a Set-Cookie header for the administrator's cookie, which makes it easier for remote attackers to obtain potentially sensitive...

CVE-2015-4138

The CVE-2015-4138 entry concerns Blue Coat SSL Visibility Appliance WebUI: SV800, SV1800, SV2800, SV3800 on 3.6.x–3.8.x (pre-3.8.4). The root cause is failure to set the HTTPOnly cookie flag on the administrator cookie, enabling potential script access to the cookie and information disclosure. Th...

CVE-2015-3983

The pcs daemon pcsd in PCS 0.9.137 and earlier does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. NOTE: this issue was SPLIT from CVE-2015-1848 per ADT2 due to differen...

Design/Logic Flaw

The pcs daemon pcsd in PCS 0.9.137 and earlier does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. NOTE: this issue was SPLIT from CVE-2015-1848 per ADT2 due to differen...