CVE-2012-4846

MEDIUM
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

IBM Lotus Notes 8.5.x before 8.5.3 FP3 does not include the HTTPOnly flag in a Set-Cookie header for a web-application cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie, aka SPRs JMAS7TRNLN and SRAO8U3Q68.

References

http://www.ibm.com/support/docview.wss?uid=swg21619604

http://www.ibm.com/support/docview.wss?uid=swg21620361

https://exchange.xforce.ibmcloud.com/vulnerabilities/79535

Details

Source: MITRE

Published: 2012-12-19

Updated: 2017-08-29

Type: CWE-200

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Tenable Plugins

View all (1 total)

IDNameProductFamilySeverity
63281IBM Lotus Notes 8.5.1 / 8.5.2 / 8.5.3 < 8.5.3 FP3 Multiple VulnerabilitiesNessusWindows
high