Headline
CVE-2021-40642: Secure cookie test · textpattern/textpattern@211fab0
Textpattern CMS v4.8.7 and older vulnerability exists through Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute via textpattern/lib/txplib_misc.php. The secure flag is not set for txp_login session cookie in the application. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie’s scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site.
Permalink
Browse files
Secure cookie test
- Loading branch information
1 parent 925e363 commit 211fab0093999f59b0b61682aa988ac7d8337aa9
Showing 1 changed file with 1 addition and 1 deletion.
@@ -1033,7 +1033,7 @@ function set_cookie($name, $value = '’, $options = array())
‘expires’ => time() - 3600,
‘path’ => '’,
‘domain’ => '’,
‘secure’ => false,
‘secure’ => strtolower(PROTOCOL) == 'https://’,
‘httponly’ => false,
‘samesite’ => ‘Lax’ // None || Lax || Strict
);
0 comments on commit 211fab0
Please sign in to comment.