CVE-2021-35236

Name of the Vulnerable Software and Affected Versions: Kiwi Syslog Server versions 9.7.2 and earlier

Description: The Secure flag is not set in the SSL Cookie, which means the cookie can be sent over unencrypted requests if the application is accessible over both HTTP and HTTPS. This poses a risk as the cookie can be passed in clear text. The Secure attribute is intended to protect the cookie by only allowing it to be sent over a secure channel, such as HTTPS.

Recommendations: For Kiwi Syslog Server versions 9.7.2 and earlier, consider configuring the application to only be accessible over HTTPS to minimize the risk of the cookie being sent in clear text. As a temporary workaround, restrict access to the application over HTTP until a proper fix is applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.