HTTPOnly Flag Vulnerability in IBM Lotus Notes Web Application
CVE-2012-4846

Currently unrated

Key Information:

Vendor: IBM
Status: Lotus Notes
Vendor: CVE Published:; 19 December 2012

Summary

IBM Lotus Notes versions 8.5.x prior to 8.5.3 FP3 are vulnerable due to the absence of the HTTPOnly flag in the Set-Cookie header of web-application cookies. This oversight allows remote attackers to exploit script access to these cookies, potentially leading to the unauthorized acquisition of sensitive information.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/79535

vdb-entryx_refsource_XF

http://www.ibm.com/support/docview.wss?uid=swg21620361

x_refsource_CONFIRM

http://www.ibm.com/support/docview.wss?uid=swg21619604

x_refsource_CONFIRM

Timeline

Vulnerability published
Dec 19, 2012
Vulnerability Reserved
Sep 6, 2012