Description

Drupal, probably 5.10 and 6.4, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

Remediation

References

CVE-2008-3661

Related Vulnerabilities

WordPress Plugin Sermon Browser Multiple Cross-Site Scripting Vulnerabilities (0.45.15)

WordPress Plugin ChimpMate-WordPress MailChimp Assistant Local File Inclusion (1.3.2)

JQuery UI Cross-site Scripting (XSS) Vulnerability (CVE-2016-7103)

WordPress Plugin Sucuri Security-Auditing, Malware Scanner and Security Hardening Cross-Site Scripting (1.7.15)

WordPress Plugin Membership Simplified Arbitrary File Download (1.58)

Severity

Medium

Classification

CVE-2008-3661

Tags

Missing Update Known Vulnerabilities