Sensitive Cookie Without 'HttpOnly' Flag in azuracast/azuracast

Valid

Reported on

Aug 26th 2021

✍️ Description

HTTPOnly attribute is not set for session cookies in the application.

🕵️‍♂️ Proof of Concept

💥 Impact

When a cookie doesn’t have an HttpOnly flag, it can be accessed through JavaScript, which means that an XSS could lead to cookies being stolen. These include session cookies that can make it easier to achieve account/session takeover.

Occurrences

index.php L1

References

Cookie without HttpOnly flag set - PortSwigger

Z-Old

commented 2 years ago

Admin

Hey Melbin, I've just emailed the repo's maintainers for you. Waiting to hear back, good job!

We have contacted a member of the azuracast team and are waiting to hear back 2 years ago

Buster Neece validated this vulnerability 2 years ago

Melbin Mathew Antony has been awarded the disclosure bounty

The fix bounty is now up for grabs

Buster Neece

commented 2 years ago

Maintainer

This issue has now been fixed as of the latest Rolling Release version.

Buster Neece marked this as fixed with commit 95a9b8 2 years ago

Buster Neece has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

Z-Old

commented 2 years ago

Admin

Hey Melbin, I've just emailed the repo's maintainers for you. Waiting to hear back, good job!

We have contacted a member of the azuracast team and are waiting to hear back 2 years ago

Buster Neece validated this vulnerability 2 years ago

Melbin Mathew Antony has been awarded the disclosure bounty

The fix bounty is now up for grabs

Buster Neece

commented 2 years ago

Maintainer

This issue has now been fixed as of the latest Rolling Release version.

Buster Neece marked this as fixed with commit 95a9b8 2 years ago

Buster Neece has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation