PT-2018-12734 · Ibm · Ibm Bigfix Platform
Published
2018-12-12
·
Updated
2019-10-09
·
CVE-2018-1480
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
IBM BigFix Platform versions 9.2.0 through 9.2.14
IBM BigFix Platform versions 9.5 through 9.5.9
Description
The issue is related to the lack of the 'HttpOnly' attribute on authorization tokens or session cookies. This could potentially allow attackers to obtain cookie values via malicious JavaScript if a Cross-Site Scripting vulnerability also exists, leading to the hijacking of user sessions.
Recommendations
For IBM BigFix Platform versions 9.2.0 through 9.2.14, set the 'HttpOnly' attribute on authorization tokens or session cookies to prevent potential session hijacking.
For IBM BigFix Platform versions 9.5 through 9.5.9, set the 'HttpOnly' attribute on authorization tokens or session cookies to prevent potential session hijacking.
Fix
Session Fixation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ibm Bigfix Platform