John Mitchell

**Name of the Vulnerable Software and Affected Versions** Microsoft Internet Explorer (affected versions not specified) **Description** The issue is related to Microsoft Internet Explorer's inability to properly restrict modifications to cookies established in HTTPS sessions. This allows man-in-the-middle attackers to overwrite or delete arbitrary cookies via a Set-Cookie header in an HTTP response. The problem is connected to the lack of the HTTP Strict Transport Security (HSTS) includeSubDomains feature, which is described as a "cookie forcing" issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Android browser (affected versions not specified) **Description** The issue is related to the Android browser's inability to properly restrict modifications to cookies established in HTTPS sessions. This allows man-in-the-middle attackers to overwrite or delete arbitrary cookies via a Set-Cookie header in an HTTP response. The problem is connected to the lack of the HTTP Strict Transport Security (HSTS) includeSubDomains feature, which is described as a "cookie forcing" issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.