CVE-2024-6739

The session cookie in MailGates and MailAudit from Openfind does not have the HttpOnly flag enabled, allowing remote attackers to potentially steal the session cookie via XSS.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:openfind:mailaudit:*:*:*:*:*:*:*:*
cpe:2.3:a:openfind:mailgates:*:*:*:*:*:*:*:*

History

03 Oct 2024, 18:39

Type Values Removed Values Added
CWE CWE-79 CWE-732

16 Jul 2024, 18:02

Type Values Removed Values Added
References () https://www.openfind.com.tw/taiwan/download/Openfind_OF-ISAC-24-007.pdf - () https://www.openfind.com.tw/taiwan/download/Openfind_OF-ISAC-24-007.pdf - Exploit
References () https://www.twcert.org.tw/en/cp-139-7928-04e8a-2.html - () https://www.twcert.org.tw/en/cp-139-7928-04e8a-2.html - Third Party Advisory
References () https://www.twcert.org.tw/tw/cp-132-7927-03837-1.html - () https://www.twcert.org.tw/tw/cp-132-7927-03837-1.html - Third Party Advisory
CWE CWE-79
CPE cpe:2.3:a:openfind:mailaudit:*:*:*:*:*:*:*:*
cpe:2.3:a:openfind:mailgates:*:*:*:*:*:*:*:*
Summary
  • (es) La cookie de sesión en MailGates y MailAudit de Openfind no tiene el indicador HttpOnly habilitado, lo que permite a atacantes remotos potencialmente robar la cookie de sesión a través de XSS.
CVSS v2 : unknown
v3 : 5.3
v2 : unknown
v3 : 6.1
First Time Openfind
Openfind mailgates
Openfind mailaudit

15 Jul 2024, 04:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-15 04:15

Updated : 2024-10-03 18:39


NVD link : CVE-2024-6739

Mitre link : CVE-2024-6739

CVE.ORG link : CVE-2024-6739


JSON object : View

Products Affected

openfind

  • mailgates
  • mailaudit
CWE
CWE-732

Incorrect Permission Assignment for Critical Resource

CWE-1004

Sensitive Cookie Without 'HttpOnly' Flag