CVE-2021-20450

Name of the Vulnerable Software and Affected Versions IBM Cognos Controller versions 10.4.1 through 11.0.0

Description The issue concerns the lack of a secure attribute on authorization tokens or session cookies. Attackers may obtain cookie values by sending an http link to a user or by planting this link in a site the user visits. The cookie will be sent to the insecure link, allowing the attacker to obtain the cookie value by snooping the traffic.

Recommendations For versions 10.4.1 through 11.0.0, update the software to a version that sets the secure attribute on authorization tokens or session cookies. As a temporary workaround, consider restricting access to sensitive cookies until a patch is available. Identify affected systems and upgrade the vulnerable component to mitigate the risk of exposure.