CVE-2019-14849 – 3scale: user session cookie does not set HTTPOnly

https://notcve.org/view.php?id=CVE-2019-14849

A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information. Se encontró una vulnerabilidad en 3scale versión anterior a 2.6, no estableció el atributo HTTPOnly en la cookie de sesión del usuario. Un atacante podría usar esto para conducir ataques de tipo cross site scripting y conseguir acceso a información no autorizada. A flaw was found where 3scale did not set the HTTPOnly attribute on the user session cookie. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849 https://access.redhat.com/security/cve/CVE-2019-14849 https://bugzilla.redhat.com/show_bug.cgi?id=1712167 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-201: Insertion of Sensitive Information Into Sent Data •