CVE-2017-1000046: Sensitive Cookie Without HttpOnly and Secure Flag
7.5
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.51221%
CWE
Published
5/13/2022
Updated
4/23/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
mautic/core | composer | < 2.1.1 | 2.1.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper cookie attribute handling in CookieHelper's constructor. The commit f9e7981 shows: 1) 'httponly' wasn't being set from configuration parameters initially, 2) 'secure' flag was automatically enabled when HTTPS was detected regardless of configuration. This matches the CWE-614 description where Secure attribute isn't properly set for HTTPS sessions. The GitHub issue #1969 and PR #2311 confirm these were the exact code areas modified to fix the vulnerability.