CVE-2022-32778

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 11.6 and dev master commit 3f7c0364

Description An information disclosure issue exists in the cookie functionality. The session cookie and the pass cookie miss the HttpOnly flag, making them accessible via JavaScript. The session cookie also misses the secure flag, allowing it to be leaked over non-HTTPS connections. This could enable an attacker to steal the session cookie via crafted HTTP requests. The pass cookie, which contains the hashed password, can be leaked via JavaScript.

Recommendations For WWBN AVideo version 11.6, consider setting the HttpOnly and secure flags for the session and pass cookies to prevent them from being accessed via JavaScript and leaked over non-HTTPS connections. For WWBN AVideo dev master commit 3f7c0364, consider setting the HttpOnly and secure flags for the session and pass cookies to prevent them from being accessed via JavaScript and leaked over non-HTTPS connections. As a temporary workaround, consider restricting access to the pass cookie and session cookie until a patch is available.