Unauthorized Cookie Exposure in IBM Security Directory Integrator
CVE-2024-28771

4.8MEDIUM

Key Information:

Vendor: IBM
Status: Security Directory Integrator; Security Verify Directory Integrator
Vendor: CVE Published:; 27 January 2025

Summary

IBM Security Directory Integrator and IBM Security Verify Directory Integrator are vulnerable due to improper management of authorization tokens and session cookies. Specifically, the secure attribute is not set, which allows attackers to exploit this weakness. By crafting malicious links and disseminating them to unsuspecting users, attackers can potentially intercept cookie values through unsecured connections. This vulnerability can lead to session hijacking, where unauthorized individuals gain access to sensitive user data.

Affected Version(s)

Security Directory Integrator 7.2.0

Security Verify Directory Integrator 10.0.0

References

https://www.ibm.com/support/pages/node/7161444

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 27, 2025