PT-2014-5564 · Ibm · Ibm Sametime
Published
2014-05-26
·
Updated
2017-08-29
·
CVE-2014-3867
CVSS v2.0
5.0
Medium
| Vector | AV:N/AC:L/Au:N/C:P/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
IBM Sametime versions 8.x through 8.5.2.1
IBM Sametime versions 9.x through 9.0.0.1
Description
The issue concerns the Meeting Server in IBM Sametime, where an unspecified cookie's Set-Cookie header lacks the HTTPOnly flag. This omission makes it easier for remote attackers to obtain potentially sensitive information via script access to the cookie.
Recommendations
For IBM Sametime versions 8.x through 8.5.2.1, update to a version that includes the HTTPOnly flag in the Set-Cookie header for the affected cookie.
For IBM Sametime versions 9.x through 9.0.0.1, update to a version that includes the HTTPOnly flag in the Set-Cookie header for the affected cookie.
As a temporary workaround, consider restricting access to the Meeting Server to minimize the risk of exploitation.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ibm Sametime