Description

MODX Revolution 2.x before 2.2.15 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Remediation

References

CVE-2014-8775

Related Vulnerabilities

Drupal Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-13666)

WordPress Plugin Frontend Post WordPress-AccessPress Anonymous Post includes Backdoor [Only if downloaded via the vendor website] (2.8.0)

Liferay Portal Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2024-11993)

Oracle HTTP Server CVE-2023-22019 Vulnerability (CVE-2023-22019)

WordPress Plugin Stop User Enumeration Security Bypass (1.3.18)

Severity

Medium

Classification

CVE-2014-8775 CWE-200

Tags

Missing Update Known Vulnerabilities