// For flags

CVE-2008-3663

squirrelmail: session hijacking - secure flag not set for HTTPS-only cookies

Severity Score

5.0
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

Squirrelmail 1.4.15 no establece la bandera de seguridad para la cookie de sesión en una sesión https, lo que podría provocar que la cookie pudiera ser enviada en peticiones http y facilitar a atacantes remotos capturar esta cookie.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2008-08-12 CVE Reserved
  • 2008-09-24 CVE Published
  • 2024-08-07 CVE Updated
  • 2024-09-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-310: Cryptographic Issues
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Squirrelmail
Search vendor "Squirrelmail"
Squirrelmail
Search vendor "Squirrelmail" for product "Squirrelmail"
1.4.15
Search vendor "Squirrelmail" for product "Squirrelmail" and version "1.4.15"
-
Affected