CVE-2021-35236
Missing Secure Flag From SSL Cookie
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The Secure flag is not set in the SSL Cookie of Kiwi Syslog Server 9.7.2 and previous versions. The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP, there is a potential for the cookie can be sent in clear text.
El indicador de seguridad no está establecido en la cookie SSL de Kiwi Syslog Server 9.7.2 y versiones anteriores. El atributo Secure indica al navegador que sólo envíe la cookie si la petición se envía a través de un canal seguro como HTTPS. Esto ayudará a proteger la cookie de ser transmitida a través de peticiones no encriptadas. Si la aplicación puede ser accedida a través de ambos HTTP, se presenta la posibilidad de que la cookie pueda ser enviada en texto sin cifrar
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-06-22 CVE Reserved
- 2021-10-27 CVE Published
- 2024-06-29 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-311: Missing Encryption of Sensitive Data
- CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Solarwinds Search vendor "Solarwinds" | Kiwi Syslog Server Search vendor "Solarwinds" for product "Kiwi Syslog Server" | <= 9.7.2 Search vendor "Solarwinds" for product "Kiwi Syslog Server" and version " <= 9.7.2" | - |
Affected
| ||||||