CVE-2008-3102

medium

Description

Mantis 1.1.x through 1.1.2 and 1.2.x through 1.2.0a2 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

References

https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00648.html

https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00504.html

https://exchange.xforce.ibmcloud.com/vulnerabilities/45395

http://www.securityfocus.com/bid/31344

http://www.securityfocus.com/archive/1/496684/100/0/threaded

http://www.securityfocus.com/archive/1/496625/100/0/threaded

http://www.gentoo.org/security/en/glsa/glsa-200812-07.xml

http://securityreason.com/securityalert/4298

http://secunia.com/advisories/32975

http://secunia.com/advisories/32330

http://secunia.com/advisories/32243

http://int21.de/cve/CVE-2008-3102-mantis.html

Details

Source: Mitre, NVD

Published: 2008-09-24

Updated: 2018-10-11

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N