Description

Drupal, probably 5.10 and 6.4, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

Remediation

References

CVE-2008-3661

Related Vulnerabilities

Jenkins Deserialization of Untrusted Data Vulnerability (CVE-2017-2608)

MyBB Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2021-43281)

MySQL CVE-2017-3646 Vulnerability (CVE-2017-3646)

WordPress Plugin Thrive Headline Optimizer Security Bypass (1.3.7.2)

WordPress Plugin Fonts-Google Fonts Typography Cross-Site Scripting (3.0.2)

Severity

Medium

Classification

CVE-2008-3661

Tags

Missing Update Known Vulnerabilities