Concrete CMS missing secure cookie parameters · CVE-2023-28472 · GitHub Advisory Database · GitHub

Concrete CMS missing secure cookie parameters

Moderate severity GitHub Reviewed Published Apr 28, 2023 to the GitHub Advisory Database • Updated Dec 8, 2023

Package

concrete5/concrete5 (Composer)

Affected versions

< 9.2.0

Patched versions

9.2.0

Description

Concrete CMS (previously concrete5) before 9.2 does not have Secure and HTTP only attributes set for ccmPoll cookies.

References

Published by the National Vulnerability Database

Apr 28, 2023

Published to the GitHub Advisory Database Apr 28, 2023

Reviewed Apr 28, 2023

Last updated Dec 8, 2023

Severity

Moderate

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N