Miggo Logo
Miggo Vulnerability Database
CVE-2022-4409

CVE-2022-4409: phpMyFAQ has insecure HTTP cookies

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-4409
GHSA ID
GHSA-wpgc-5cr5-h9gg
EPSS Score
0.22421%
CWE
CWE-311
Published
12/11/2022
Updated
6/27/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
thorsten/phpmyfaqcomposer< 3.1.93.1.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from cookies not having the Secure attribute when served over HTTPS. The critical functions are: 1) Session::setCookie() where cookie parameters are defined - pre-fix it used a flawed protocol check. 2) Bootstrap initialization where session cookie settings were configured without proper secure flag handling. The patches in commit c16cc2b specifically modify these areas to implement HTTPS-aware secure cookie attributes, confirming these functions' involvement.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

p*pMy**Q is *ont*ins S*nsitiv* *ooki* in *TTPS S*ssion Wit*out 'S**ur*' *ttri*ut* in v*rsions prior to *.*.*.

Reasoning

T** vuln*r**ility st*ms *rom *ooki*s not **vin* t** S**ur* *ttri*ut* w**n s*rv** ov*r *TTPS. T** *riti**l *un*tions *r*: *) S*ssion::s*t*ooki*() w**r* *ooki* p*r*m*t*rs *r* ***in** - pr*-*ix it us** * *l*w** proto*ol ****k. *) *ootstr*p initi*liz*tio