Description

Drupal, probably 5.10 and 6.4, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

Remediation

References

CVE-2008-3661

Related Vulnerabilities

WordPress Other Vulnerability (CVE-2007-2821)

IBMHttpServer Observable Discrepancy Vulnerability (CVE-2023-32342)

WordPress Plugin Swipe Checkout for Jigoshop Cross-Site Scripting (3.1.0)

MyBB Permissions, Privileges, and Access Controls Vulnerability (CVE-2010-4624)

CakePHP Deserialization of Untrusted Data Vulnerability (CVE-2019-11458)

Severity

Medium

Classification

CVE-2008-3661

Tags

Missing Update Known Vulnerabilities