Description

Drupal, probably 5.10 and 6.4, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

Remediation

References

CVE-2008-3661

Related Vulnerabilities

Atlassian Jira Incorrect Authorization Vulnerability (CVE-2020-36238)

WordPress Plugin BulletProof Security Information Disclosure (5.1)

WebLogic CVE-2021-2018 Vulnerability (CVE-2021-2018)

Apache HTTP Server Numeric Errors Vulnerability (CVE-2010-0010)

WordPress Plugin Unyson Information Disclosure (2.7.18)

Severity

Medium

Classification

CVE-2008-3661

Tags

Missing Update Known Vulnerabilities