Cookie without “Secure “ and “ HttpOnly ” flag attribute in unilogies/bumsys


Reported on

Jan 20th 2023


HttpOnly and Secure attribute is not set for session cookies in the application.

Proof of Concept


The " Secure flag "ensures that the cookie is only sent over a secure (HTTPS) connection, while the "Httponly flag" prevents the cookie from being accessed by JavaScript, which helps to protect against XSS attacks. Without these flags, an attacker may be able to intercept and steal the cookie, which could be used to gain unauthorized access to a user's account.

We are processing your report and will contact the unilogies/bumsys team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a exists a year ago
We have contacted a member of the unilogies/bumsys team and are waiting to hear back 10 months ago
Khurshid Alam validated this vulnerability 10 months ago

@ctflearner, We have already used HttpOnly flag. But as of development, currently the line is commented.

And we will add secure attribute in next release.

loader.php L18

Thank you.

ctflearner has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
10 months ago


@ khurshid Alam . I would be glad if you could assign a CVE for this

Khurshid Alam marked this as fixed in v1.0.3 with commit e1632b 10 months ago
has been awarded the fix bounty
This vulnerability will not receive a CVE
Khurshid Alam published this vulnerability 10 months ago
10 months ago


@admin , can you please assign CVE for this

Ben Harvie
10 months ago


CVE assignment is in the hands of the maintainer, please refrain from tagging admins for this request. Thanks.

to join this conversation