CVE-2022-38846: EspoCRM 7.1.8 is vulnerable to Missing Secure Flag - Cybersecurity@ValueLabs - Medium

Affected Product and Version: EspoCRM 7.1.8

Description: EspoCRM is an open-source CRM (customer relationship management) software written in PHP. This web application enables users to see and manage company relationships. EspoCRM version 7.1.8 is vulnerable to Missing Secure Flag, allowing the browser to send plain text cookies over an insecure channel (HTTP). The attacker may capture the cookie from the insecure channel using a MITM attack.

Impact: The attacker may use the captured cookie to access the application as an authenticated user and perform actions a genuine user can perform. The impact varies depending on the role of the compromised user.

Steps to reproduce:

1. Log in to the application

2. Capture the response to the login request. Observe that the secure flag is missing

Remediation:

Upgrade to the latest stable version of EspoCRM 7.1.9