CVE-2018-1480

IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 does not set the 'HttpOnly' attribute on authorization tokens or session cookies. If a Cross-Site Scripting vulnerability also existed attackers may be able to get the cookie values via malicious JavaScript and then hijack the user session. IBM X-Force ID: 140762.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
ibmCNA
4 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.0/A:N/AC:H/AV:N/C:L/I:N/PR:N/S:C/UI:N/E:H/RC:C/RL:O
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 32%
VendorProductVersion
ibmbigfix_platform
9.2.0 ≤
𝑥
≤ 9.2.14
ibmbigfix_platform
9.5 ≤
𝑥
≤ 9.5.9
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://exchange.xforce.ibmcloud.com/vulnerabilities/140762
https://www.ibm.com/support/docview.wss?uid=ibm10733605
https://exchange.xforce.ibmcloud.com/vulnerabilities/140762
https://www.ibm.com/support/docview.wss?uid=ibm10733605