CVE-2008-7298

Name of the Vulnerable Software and Affected Versions Android browser (affected versions not specified)

Description The issue is related to the Android browser's inability to properly restrict modifications to cookies established in HTTPS sessions. This allows man-in-the-middle attackers to overwrite or delete arbitrary cookies via a Set-Cookie header in an HTTP response. The problem is connected to the lack of the HTTP Strict Transport Security (HSTS) includeSubDomains feature, which is described as a "cookie forcing" issue.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.