Description
Drupal, probably 5.10 and 6.4, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
References (4)
Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/31285
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/45298
Third Party Advisory x_refsource_misc
http://int21.de/cve/CVE-2008-3661-drupal.html
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/496575/100/0/threaded
Scores
EPSS
0.0180
EPSS Percentile
83.1%
Details
Status
published
Products (2)
drupal/drupal
5.10
drupal/drupal
6.4
Published
Sep 23, 2008
Tracked Since
Feb 18, 2026