Mantis < 1.1.4 HTTPS Session Cookie Secure Flag Weakness

Medium Nessus Network Monitor Plugin ID 4694

Synopsis

The remote server is running Mantis, a bug-tracking software.

Description

The remote server is running Mantis, a bug-tracking software. This version of Mantis is vulnerable to a flaw where cookies passed over SSL are not marked as 'Secure'. Given this, the cookie can be requested over HTTP and sent via plaintext.

Solution

Upgrade to version 1.1.4 or higher.

See Also

http://www.securityfocus.com/bid/31344

Plugin Details

Severity: Medium

ID: 4694

File Name: 4694.prm

Family: CGI

Published: 2008/11/03

Modified: 2016/01/21

Dependencies: 1442

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 4.3

Temporal Score: 3.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSSv3

Base Score: 5.3

Temporal Score: 4.9

Vector: CVSS3#AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS3#E:F/RL:O/RC:C

Reference Information

CVE: CVE-2008-3102

BID: 31344