Description

Drupal, probably 5.10 and 6.4, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

Remediation

References

CVE-2008-3661

Related Vulnerabilities

Oracle Database Server CVE-2008-2590 Vulnerability (CVE-2008-2590)

Apache Tomcat Improper Input Validation Vulnerability (CVE-2013-2185)

WordPress Plugin WP to Twitter Cross-Site Scripting (3.0.5)

WordPress 4.7.x Multiple Vulnerabilities (4.7 - 4.7.17)

WordPress Plugin youForms for WordPress-Creating Forms for CopeCart Cross-Site Scripting (1.0.5)

Severity

Medium

Classification

CVE-2008-3661

Tags

Missing Update Known Vulnerabilities