Vulnerability in Theforeman Foreman

CVE-2015-3155

Foreman before 1.8.1 does not set the secure flag for the _session_id cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.

EPSS: 0.006 (68.7th percentile) — read the EPSS interpretation.

Affected products

Theforeman Foreman
N/a — versions n/a

Weakness classification (CWE)

CWE-284 — Improper Access Control

References

secalert@redhat.com (x_refsource_CONFIRM, Vendor Advisory)
RHSA-2015:1592 (x_refsource_REDHAT, vendor-advisory)
secalert@redhat.com (x_refsource_CONFIRM)
secalert@redhat.com (x_refsource_CONFIRM)
RHSA-2015:1591 (x_refsource_REDHAT, vendor-advisory)
secalert@redhat.com (x_refsource_CONFIRM, Patch)