Description
The default "basic" security setting' in config.php for TWIG webmail 2.7.4 and earlier stores cleartext usernames and passwords in cookies, which could allow attackers to obtain authentication information and gain privileges.
References (3)
Core 3
Core References
Broken Link mailing-list
x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0245.html
Broken Link, Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/3591
Broken Link vdb-entry
x_refsource_xf
http://www.iss.net/security_center/static/7619.php
Scores
CVSS v3
7.5
EPSS
0.0112
EPSS Percentile
61.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-312
Status
published
Products (1)
symfony/twig
< 2.7.4
Published
Dec 31, 2001
Tracked Since
Feb 18, 2026