| Vulnerability Name: | CVE-2008-3661 (CCN-45298) | ||||||||
| Assigned: | 2008-09-20 | ||||||||
| Published: | 2008-09-20 | ||||||||
| Updated: | 2021-04-21 | ||||||||
| Summary: | Drupal, probably 5.10 and 6.4, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. | ||||||||
| CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
| ||||||||
| CVSS v2 Severity: | 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N) 3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
| ||||||||
| Vulnerability Type: | CWE-Other | ||||||||
| Vulnerability Consequences: | Gain Access | ||||||||
| References: | Source: MITRE Type: CNA CVE-2008-3661 Source: CCN Type: Drupal Web site Drupal Source: CCN Type: Hanno Boeck Advisories, 2008-09-20 drupal: Session hijacking vulnerability, CVE-2008-3661 Source: MISC Type: Third Party Advisory http://int21.de/cve/CVE-2008-3661-drupal.html Source: CCN Type: OSVDB ID: 49126 Drupal HTTPS Session Cookie Secure Flag Weakness Source: BUGTRAQ Type: Third Party Advisory, VDB Entry 20080920 drupal: Session hijacking vulnerability, CVE-2008-3661 Source: BID Type: Third Party Advisory, VDB Entry 31285 Source: CCN Type: BID-31285 Drupal Insecure Cookie Disclosure Weakness Source: XF Type: Third Party Advisory, VDB Entry drupal-cookie-session-hijacking(45298) Source: XF Type: UNKNOWN drupal-cookie-session-hijacking(45298) | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| BACK | |||||||||