Description

Drupal, probably 5.10 and 6.4, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

Remediation

References

CVE-2008-3661

Related Vulnerabilities

RubyGems Improper Verification of Cryptographic Signature Vulnerability (CVE-2018-1000076)

WordPress Plugin Data Tables Generator by Supsystic Multiple Vulnerabilities (1.9.96)

WordPress Plugin OMFG Mobile Pro Cross-Site Scripting (1.1.26)

MediaWiki Insufficiently Protected Credentials Vulnerability (CVE-2020-29005)

Moodle Credentials Management Errors Vulnerability (CVE-2014-0008)

Severity

Medium

Classification

CVE-2008-3661

Tags

Missing Update Known Vulnerabilities