CVE-2008-3661

EUVD-2008-3647
Drupal, probably 5.10 and 6.4, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 82%
Affected Products (NVD)
VendorProductVersion
drupaldrupal
5.10
drupaldrupal
6.4
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
drupal
dapper
ignored
feisty
ignored
gutsy
dne
hardy
dne
intrepid
dne
jaunty
dne
drupal5
dapper
dne
feisty
dne
gutsy
ignored
hardy
ignored
intrepid
ignored
jaunty
ignored
References
http://int21.de/cve/CVE-2008-3661-drupal.html
http://www.securityfocus.com/archive/1/496575/100/0/threaded
http://www.securityfocus.com/bid/31285
https://exchange.xforce.ibmcloud.com/vulnerabilities/45298
http://int21.de/cve/CVE-2008-3661-drupal.html
http://www.securityfocus.com/archive/1/496575/100/0/threaded
http://www.securityfocus.com/bid/31285
https://exchange.xforce.ibmcloud.com/vulnerabilities/45298