CVE-2014-3867

Name of the Vulnerable Software and Affected Versions IBM Sametime versions 8.x through 8.5.2.1 IBM Sametime versions 9.x through 9.0.0.1

Description The issue concerns the Meeting Server in IBM Sametime, where an unspecified cookie's Set-Cookie header lacks the HTTPOnly flag. This omission makes it easier for remote attackers to obtain potentially sensitive information via script access to the cookie.

Recommendations For IBM Sametime versions 8.x through 8.5.2.1, update to a version that includes the HTTPOnly flag in the Set-Cookie header for the affected cookie. For IBM Sametime versions 9.x through 9.0.0.1, update to a version that includes the HTTPOnly flag in the Set-Cookie header for the affected cookie. As a temporary workaround, consider restricting access to the Meeting Server to minimize the risk of exploitation.