concrete5/concrete5 is vulnerable to Insecure Cookies. The vulnerability exists in controller.php
because the ccmPoll
cookie parameters do not have secure and http only attributes which allows an attacker to gain access to session and perform unauthorized actions.
concretecms.com
github.com/advisories/GHSA-f55r-8rcv-mqcf
github.com/concretecms/concretecms/commit/bc33100d54d4e5adf132d75a31df91437f6e71bd
github.com/concretecms/concretecms/issues/11000
github.com/concretecms/concretecms/pull/11078
github.com/concretecms/concretecms/releases/tag/9.2.0
www.concretecms.org/about/project-news/security/2023-11-09-security-blog-about-updated-cves-and-new-release
www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2023-04-20