CVE-2019-14849

Name of the Vulnerable Software and Affected Versions 3scale versions prior to 2.6

Description A vulnerability was found that did not set the HTTPOnly attribute on the user session cookie, allowing an attacker to conduct cross-site scripting attacks and gain access to unauthorized information.

Recommendations For versions prior to 2.6, update to version 2.6 or later to resolve the issue. As a temporary workaround, consider configuring the application to set the HTTPOnly attribute on the user session cookie to minimize the risk of exploitation.