CVE-2014-0174

The CVE-2014-0174 issue affects Red Hat Enterprise MRG 2.5 (Cumin) where the session cookie is not marked HttpOnly in Set-Cookie, enabling potential script access to the cookie. Affected environments include Red Hat Enterprise Linux 5/6 running MRG 2.5. Root cause: Cumin did not set the HttpOnly ...

Moderate: Red Hat Security Advisory: Red Hat Enterprise MRG 2.5 Messaging and Grid security update

An updated cumin package that fixes two security issues is now available for Red Hat Enterprise MRG 2.5 for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System CVSS base scores, which give...

CVE-2014-4692

CVE-2014-4692 affects pfSense prior to 2.1.4. The vulnerability is that the session cookie Set-Cookie header is not marked HTTPOnly when using HTTP, enabling potential script access to the cookie and exposure of sensitive data. There is no explicit exploitation detail in the provided documents, a...

SimpleRisk 20130915-01 - Multiple Vulnerabilities

No description provided by source. 1. Advisory Information Title: SimpleRisk v.20130915-01 CSRF-XSS Account Compromise Advisory ID: RS-2013-0001 Date Published: 2013-09-30 2. Vulnerability Information Type: Cross-Site Request Forgery CSRF CWE-352, OWASP-A8, Cross-Site Scripting XSS CWE-79, OWASP-...

Apache httpOnly Cookie Disclosure

No description provided by source. // Source: https://gist.github.com/1955a1c28324d4724b7b/7fe51f2a66c1d4a40a736540b3ad3fde02b7fb08 // Most browsers limit cookies to 4k characters, so we need multiple function setCookies good // Construct string for cookie value var str = ; for var i=0; i 819; i+...

Openfiler NAS/SAN Appliance 2.99 XSS / Traversal / Command Injection

Tested on Openfiler NAS/SAN Appliance version 2.99 Author: MiDoveteMollare Date: 10 June 2014 OS Command Injection after authentication 1 page: servicesiscsitarget.html paramenter: password POST /admin/servicesiscsitarget.html HTTP/1.1 Host: IP:446 Accept: / Accept-Language: en User-Agent:...

CVE-2013-4724

DDSN Interactive cm3 Acora CMS 6.0.6/1a, 6.0.2/1a, 5.5.7/12b, 5.5.0/1b-p1, and possibly other versions, does not include the HTTPOnly flag in a Set-Cookie header for an unspecified cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to...

Design/Logic Flaw

DDSN Interactive cm3 Acora CMS 6.0.6/1a, 6.0.2/1a, 5.5.7/12b, 5.5.0/1b-p1, and possibly other versions, does not include the HTTPOnly flag in a Set-Cookie header for an unspecified cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to...

CVE-2013-4724

CVE-2013-4724 affects DDSN Interactive cm3 Acora CMS versions including 6.0.6/1a, 6.0.2/1a, 5.5.7/12b, 5.5.0/1b-p1 (and possibly others). The issue is failure to set the HTTPOnly flag on a Set-Cookie header for an unspecified cookie, potentially allowing remote attackers to access sensitive cooki...

CVE-2013-4724

DDSN Interactive cm3 Acora CMS 6.0.6/1a, 6.0.2/1a, 5.5.7/12b, 5.5.0/1b-p1, and possibly other versions, does not include the HTTPOnly flag in a Set-Cookie header for an unspecified cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to...

CVE-2014-3867

The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 does not include the HTTPOnly flag in a Set-Cookie header for an unspecified cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie, a different...

CVE-2014-3867

The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 does not include the HTTPOnly flag in a Set-Cookie header for an unspecified cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie, a different...

CVE-2014-3867

The CVE-2014-3867 entry concerns IBM Sametime Meeting Server versions 8.x up to 8.5.2.1 and 9.x up to 9.0.0.1 that do not set the HTTPOnly flag for an unspecified cookie in an HTTPS session. This omission can allow remote attackers to access potentially sensitive data via script access to the coo...

[oss-security] CVE request: Pyplate multiple vulnerabilities

Hello list, My friend Teemu V. "requested" security audit for Pyplate. While quickly checking quality of this software I noticed following issues. This is not a full security audit as I don't have much free time. Tested version: v0.08 still beta Vendor notification: 2014-05-13 Issue 1. Installati...

Design/Logic Flaw

CFNetwork in Apple iOS before 7.1.1, Apple OS X through 10.9.2, and Apple TV before 6.1.1 does not ensure that a Set-Cookie HTTP header is complete before interpreting the header's value, which allows remote attackers to bypass intended access restrictions by triggering the closing of a TCP...

IRCCloud: "SESSION" Cookie without HttpOnly flag set

Vulnerability description This cookie does not have the HTTPOnly flag set. When a cookie is set with the HTTPOnly flag, it instructs the browser that the cookie can only be accessed by the server and not by client-side scripts. This is an important security protection for session cookies. This...

EMC VPLEX GeoSynchrony信息泄露漏洞

Bugtraq ID:666517 CVE ID:CVE-2014-0634 EMC VPLEX GeoSynchrony是虚拟机数据存储软件。 VPLEX GeoSynchrony存在缺失HttpOnly属性漏洞，利用漏洞远程攻击者可获取敏感信息。 0 EMC VPLEX GeoSynchrony 4.0-5.2.1 目前厂商已经发布了升级补丁以修复漏洞，请下载使用： http://www.emc.com/products-solutions/index.htm...

Code injection

EMC VPLEX GeoSynchrony 4.x and 5.x before 5.3 does not include the HTTPOnly flag in a Set-Cookie header for an unspecified cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie...

ESA-2014-016: EMC VPLEX Multiple Vulnerabilities

ESA-2014-016.txt -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ESA-2014-016: EMC VPLEX Multiple Vulnerabilities EMC Identifier: ESA-2014-016 CVE Identifier: See below for individual CVEs Severity Rating: CVSS v2 Base Score: See below for individual CVSS scores Affected products: All versions from...

Coinbase: Cookie missing the HttpOnly flag

Hello coinbase, Iam saikiran.Iam a security researcher.while i was going through your site i found that your website does not have HTTPOnly flag for the cookies.it is not a vulnerability but it is a new improvement and improves the security of your site. If your not aware of HTTPOnly flag here is...