Mantis < 1.1.4 HTTPS Session Cookie Secure Flag Weakness

low Nessus Network Monitor Plugin ID 4694

Synopsis

The remote server is running Mantis, a bug-tracking software.

Description

The remote server is running Mantis, a bug-tracking software. This version of Mantis is vulnerable to a flaw where cookies passed over SSL are not marked as 'Secure'. Given this, the cookie can be requested over HTTP and sent via plaintext.

Solution

Upgrade to version 1.1.4 or higher.

See Also

http://www.securityfocus.com/bid/31344

Plugin Details

Severity: Low

ID: 4694

Family: CGI

Published: 11/3/2008

Updated: 3/6/2019

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS v3

Risk Factor: Low

Base Score: 3.7

Temporal Score: 3.5

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mantisbt:mantisbt

Reference Information

CVE: CVE-2008-3102

BID: 31344