CVE-2023-33860

July 10, 2024, 4:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

IBM Security QRadar EDR

  • 3.12

Source

psirt@us.ibm.com

Tags

CVE-2023-33860 details

Published : July 10, 2024, 4:15 p.m.
Last Modified : July 10, 2024, 4:15 p.m.

Description

IBM Security QRadar EDR 3.12 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 257702.

CVSS Score

1 2 3 4 5.3 6 7 8 9 10

Weakness

Weakness Name Description
CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

Base Score

5.3

Exploitability Score

3.9

Impact Score

1.4

Base Severity

MEDIUM

This website uses the NVD API, but is not approved or certified by it.