CVE-2020-4763

Name of the Vulnerable Software and Affected Versions IBM Sterling File Gateway versions 2.2.0.0 through 2.2.6.5 IBM Sterling File Gateway versions 6.0.0.0 through 6.0.3.2

Description The issue arises because the software does not set the secure attribute on authorization tokens or session cookies. This allows attackers to potentially obtain cookie values by sending a user a http link or by planting this link in a site the user visits. The cookie will be sent to the insecure link, and the attacker can then obtain the cookie value by snooping the traffic.

Recommendations For versions 2.2.0.0 through 2.2.6.5, consider updating to a version that sets the secure attribute on authorization tokens or session cookies. For versions 6.0.0.0 through 6.0.3.2, consider updating to a version that sets the secure attribute on authorization tokens or session cookies. As a temporary workaround, consider restricting access to sensitive information until a patch is available.