Session Cookie Vulnerability in IBM Publishing Engine
CVE-2020-4316

4.3MEDIUM

Key Information:

Vendor: IBM
Status: Rational Publishing Engine
Vendor: CVE Published:; 16 July 2020

Summary

IBM Publishing Engine versions 6.0.6, 6.0.6.1, and 7.0 exhibit a security flaw where the secure attribute is not set on authorization tokens or session cookies. This oversight allows attackers to potentially harvest cookie values by tricking users into clicking on a malicious link or embedding the link within a compromised site. Consequently, the cookies could be transmitted over insecure connections, making them vulnerable to interception during transmission, which could lead to unauthorized access or data exfiltration.

Affected Version(s)

Rational Publishing Engine 6.0.6

Rational Publishing Engine 6.0.6.1

Rational Publishing Engine 7.0

References

https://www.ibm.com/support/pages/node/6249131

x_refsource_CONFIRM

https://exchange.xforce.ibmcloud.com/vulnerabilities/177354

vdb-entryx_refsource_XF

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jul 16, 2020
Vulnerability Reserved
Dec 30, 2019