Missing HTTPOnly Flag in Set-Cookie Header in pcsd

Missing HTTPOnly Flag in Set-Cookie Header in pcsd

CVE-2015-3983 · MEDIUM Severity

AV:N/AC:M/AU:N/C:P/I:N/A:N

The pcs daemon (pcsd) in PCS 0.9.137 and earlier does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. NOTE: this issue was SPLIT from CVE-2015-1848 per ADT2 due to different vulnerability types.

Learn more about our Web Application Penetration Testing UK.