CVE-2008-7293

Firefox < 4.0 - Cookie Forcing via Set-Cookie Header

Title source: llm
STIX 2.1

Description

Mozilla Firefox before 4 cannot properly restrict modifications to cookies established in HTTPS sessions, which allows man-in-the-middle attackers to overwrite or delete arbitrary cookies via a Set-Cookie header in an HTTP response, related to lack of the HTTP Strict Transport Security (HSTS) includeSubDomains feature, aka a "cookie forcing" issue.

Scores

EPSS 0.0168
EPSS Percentile 74.3%

Details

CWE
CWE-264
Status published
Products (47)
mozilla/firefox 1.0 (2 CPE variants)
mozilla/firefox 1.0.1
mozilla/firefox 1.0.2
mozilla/firefox 1.0.3
mozilla/firefox 1.0.4
mozilla/firefox 1.0.5
mozilla/firefox 1.0.6
mozilla/firefox 1.0.7
mozilla/firefox 1.0.8
mozilla/firefox 1.5 (3 CPE variants)
... and 37 more
Published Aug 09, 2011
Tracked Since Feb 18, 2026