CVE-2019-14849

CWE-201 CWE-79 — Cross-site Scripting (XSS)5 documents5 sources

Severity

5.4MEDIUM

EPSS

0.3%

top 45.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat 3scale

Timeline

PublishedDec 12

Latest updateMay 24

Description

A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDredhat/3scale< 2.6

▶CVEListV53scalen/a

🔴Vulnerability Details

GHSA

GHSA-8v4x-g74w-cgg6: A vulnerability was found in 3scale before version 2↗2022-05-24

▶

CVEList

CVE-2019-14849: A vulnerability was found in 3scale before version 2↗2019-12-12

▶

📋Vendor Advisories

Red Hat

3scale: user session cookie does not set HTTPOnly↗2019-12-11

▶

💬Community

Bugzilla

CVE-2019-14849 3scale: user session cookie does not set HTTPOnly↗2019-05-20

▶