HTTPOnly Flag Absence in IBM Tivoli Endpoint Manager Web Programs
CVE-2012-1837

Currently unrated

Key Information:

Vendor: IBM
Status: Tivoli Endpoint Manager
Vendor: CVE Published:; 22 March 2012

Summary

The webreports, post/create-role, and post/update-role programs within IBM Tivoli Endpoint Manager prior to version 8.2 do not implement the HTTPOnly flag in their Set-Cookie headers. This oversight allows remote attackers to access sensitive information contained within cookies, increasing the risk of exploitation through script access. Without proper protection, these cookies can be compromised, leading to unauthorized access and data breaches.

References

http://secunia.com/advisories/48352

third-party-advisoryx_refsource_SECUNIA

https://exchange.xforce.ibmcloud.com/vulnerabilities/74038

vdb-entryx_refsource_XF

http://www-01.ibm.com/support/docview.wss?uid=swg21587743

x_refsource_CONFIRM

Timeline

Vulnerability published
Mar 22, 2012
Vulnerability Reserved
Mar 21, 2012