Miggo Logo

CVE-2017-1000046: Sensitive Cookie Without HttpOnly and Secure Flag

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.51221%
Published
5/13/2022
Updated
4/23/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
mautic/corecomposer< 2.1.12.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper cookie attribute handling in CookieHelper's constructor. The commit f9e7981 shows: 1) 'httponly' wasn't being set from configuration parameters initially, 2) 'secure' flag was automatically enabled when HTTPS was detected regardless of configuration. This matches the CWE-614 description where Secure attribute isn't properly set for HTTPS sessions. The GitHub issue #1969 and PR #2311 confirm these were the exact code areas modified to fix the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M*uti* prior to *.*.* **ils to s*t *l**s on s*ssion *ooki*s

Reasoning

T** vuln*r**ility st*ms *rom improp*r *ooki* *ttri*ut* **n*lin* in *ooki***lp*r's *onstru*tor. T** *ommit ******* s*ows: *) '*ttponly' w*sn't **in* s*t *rom *on*i*ur*tion p*r*m*t*rs initi*lly, *) 's**ur*' *l** w*s *utom*ti**lly *n**l** w**n *TTPS w*s