HTTPOnly Flag Absence in pcsd Affects Red Hat and Fedora Products
CVE-2015-3983

Currently unrated

Key Information:

Vendor: Fedora
Status: Pacemaker Configuration System
Vendor: CVE Published:; 14 May 2015

What is CVE-2015-3983?

The pcs daemon (pcsd) prior to version 0.9.137 lacks the HTTPOnly flag in its Set-Cookie header. This oversight allows remote attackers to exploit the absence of this security measure to gain access to sensitive information through script access to cookies. Without the HTTPOnly attribute, cookies may be exposed to cross-site scripting (XSS) attacks, facilitating unauthorized data retrieval and posing security risks for users.

References

http://rhn.redhat.com/errata/RHSA-2015-0990.html

vendor-advisoryx_refsource_REDHAT

http://lists.fedoraproject.org/pipermail/package-announce...

vendor-advisoryx_refsource_FEDORA

https://bugzilla.redhat.com/attachment.cgi?id=1009855

x_refsource_CONFIRM

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2015
Vulnerability Reserved
May 13, 2015