Описание
Red Hat JBoss BPM Suite 6.3.x does not include the HTTPOnly flag in a Set-Cookie header for session cookies, which makes it easier for remote attackers to obtain potentially sensitive information via script access to the cookies.
It was discovered that JBoss BRMS 6 and BPM Suite 6 are not setting HttpOnly flags on sensitive cookies. Remote attackers can access these cookies by using client-side scripts, usually through XSS.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat BPM Suite 6 | dashbuilder | Affected | ||
| Red Hat JBoss BRMS 6 | dashbuilder | Affected | ||
| Red Hat JBoss BPMS 6.4 | Fixed | RHSA-2017:0249 | 02.02.2017 | |
| Red Hat JBoss BRMS 6.4 | Fixed | RHSA-2017:0248 | 02.02.2017 |
Показывать по
Дополнительная информация
Статус:
4.3 Medium
CVSS3
4.3 Medium
CVSS2
Связанные уязвимости
Red Hat JBoss BPM Suite 6.3.x does not include the HTTPOnly flag in a Set-Cookie header for session cookies, which makes it easier for remote attackers to obtain potentially sensitive information via script access to the cookies.
Red Hat JBoss BPM Suite 6.3.x does not include the HTTPOnly flag in a Set-Cookie header for session cookies, which makes it easier for remote attackers to obtain potentially sensitive information via script access to the cookies.
4.3 Medium
CVSS3
4.3 Medium
CVSS2