CVE-2013-7436 – novnc: session hijack through insecurely set session token cookies

https://notcve.org/view.php?id=CVE-2013-7436

08 Apr 2015 — noVNC before 0.5 does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. noVNC anterior a 0.5 no configura la bandera de seguro para una cookie en una sesión https, lo que facilita a atacantes remotos capturar esta cookie mediante la intercepción de su transmisión dentro de una sesión http. It was discovered that noVNC did not properly set the 'secure' flag when issuing cookies. ... • http://rhn.redhat.com/errata/RHSA-2015-0788.html • CWE-310: Cryptographic Issues CWE-319: Cleartext Transmission of Sensitive Information •