Unauthorized Cookie Exposure in IBM Security Directory Integrator
CVE-2024-28771

4.8MEDIUM

Key Information:

Vendor
IBM
Vendor
CVE Published:
27 January 2025

Summary

IBM Security Directory Integrator and IBM Security Verify Directory Integrator are vulnerable due to improper management of authorization tokens and session cookies. Specifically, the secure attribute is not set, which allows attackers to exploit this weakness. By crafting malicious links and disseminating them to unsuspecting users, attackers can potentially intercept cookie values through unsecured connections. This vulnerability can lead to session hijacking, where unauthorized individuals gain access to sensitive user data.

Affected Version(s)

Security Directory Integrator 7.2.0

Security Verify Directory Integrator 10.0.0

References

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

.