Unauthorized Cookie Exposure in IBM Security Directory Integrator
CVE-2024-28771
4.8MEDIUM
Key Information:
- Vendor
- IBM
- Vendor
- CVE Published:
- 27 January 2025
Summary
IBM Security Directory Integrator and IBM Security Verify Directory Integrator are vulnerable due to improper management of authorization tokens and session cookies. Specifically, the secure attribute is not set, which allows attackers to exploit this weakness. By crafting malicious links and disseminating them to unsuspecting users, attackers can potentially intercept cookie values through unsecured connections. This vulnerability can lead to session hijacking, where unauthorized individuals gain access to sensitive user data.
Affected Version(s)
Security Directory Integrator 7.2.0
Security Verify Directory Integrator 10.0.0
References
CVSS V3.1
Score:
4.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged
Timeline
Vulnerability published