CVE-2020-14248Cleartext Transmission of Sensitive Info in Bigfix Platform

CWE-319Cleartext Transmission of Sensitive Info3 documents3 sources
Severity
5.3MEDIUMNVD
EPSS
0.1%
top 67.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Hcltech Bigfix PlatformHCL Software HCL Bigfix Inventory
Timeline
PublishedDec 16
Latest updateMay 24

Description

BigFix Inventory up to v10.0.2 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

CVEListV5hcl_software/hcl_bigfix_inventoryv9, v10.0.x
NVDhcltech/bigfix_platform9.0.010.0.2

🔴Vulnerability Details

2
GHSA
GHSA-j564-pmx9-wqcj: BigFix Inventory up to v102022-05-24
CVEList
CVE-2020-14248: BigFix Inventory up to v102020-12-16
CVE-2020-14248 — Hcltech Bigfix Platform vulnerability | cvebase