Session Hijacking Vulnerability in McAfee IntruShield Network Security Manager
CVE-2009-3566

Currently unrated

Key Information:

Vendor: Mcafee
Status: Intrushield Network Security Manager
Vendor: CVE Published:; 13 November 2009

Summary

The McAfee IntruShield Network Security Manager (NSM) prior to version 5.1.11.8.1 is susceptible to session hijacking due to a lack of the HTTPOnly flag in the Set-Cookie header for session identifiers. This oversight permits attackers to exploit cross-site scripting (XSS) vulnerabilities, potentially allowing them to steal session cookies and gain unauthorized access to users' active sessions. This vulnerability underscores the critical need for secure cookie attributes to protect user sessions from unauthorized exploitation.

References

https://kc.mcafee.com/corporate/index?page=content&id=SB1...

x_refsource_CONFIRM

http://www.vupen.com/english/advisories/2009/3226

vdb-entryx_refsource_VUPEN

http://securitytracker.com/id?1023172

vdb-entryx_refsource_SECTRACK

EPSS Score

5% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Nov 13, 2009
Vulnerability Reserved
Oct 5, 2009