Session Cookie Vulnerability in IBM Publishing Engine
CVE-2020-4316

4.3MEDIUM

Key Information:

Vendor
IBM
Vendor
CVE Published:
16 July 2020

Summary

IBM Publishing Engine versions 6.0.6, 6.0.6.1, and 7.0 exhibit a security flaw where the secure attribute is not set on authorization tokens or session cookies. This oversight allows attackers to potentially harvest cookie values by tricking users into clicking on a malicious link or embedding the link within a compromised site. Consequently, the cookies could be transmitted over insecure connections, making them vulnerable to interception during transmission, which could lead to unauthorized access or data exfiltration.

Affected Version(s)

Rational Publishing Engine 6.0.6

Rational Publishing Engine 6.0.6.1

Rational Publishing Engine 7.0

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.