CVE-2009-3584 - SQL-Ledger 2.8.24 does not set the secure flag for the session cookie in an https session, which mak

CVE-2009-3584

Summary

SQL-Ledger 2.8.24 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.

References

http://secunia.com/advisories/37877
http://www.securityfocus.com/archive/1/508559/100/0/threaded
http://www.securityfocus.com/bid/37431
https://exchange.xforce.ibmcloud.com/vulnerabilities/54968

Vulnerable Configurations

cpe:2.3:a:sql-ledger:sql-ledger:2.8.24:*:*:*:*:*:*:*
cpe:2.3:a:sql-ledger:sql-ledger:2.8.24:*:*:*:*:*:*:*

CVSS

Base:	5.0 (as of 10-10-2018 - 19:47)
Impact:
Exploitability:

CWE

CWE-16

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:N/A:N

refmap via4

bid	37431
bugtraq	20091221 SQL-Ledger â?? several vulnerabilities
secunia	37877
xf	sqlledger-cookie-weak-security(54968)

Last major update

10-10-2018 - 19:47

Published

23-12-2009 - 18:30

Last modified

10-10-2018 - 19:47