Description
IBM Lotus Notes 8.5.x before 8.5.3 FP3 does not include the HTTPOnly flag in a Set-Cookie header for a web-application cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie, aka SPRs JMAS7TRNLN and SRAO8U3Q68.
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/79535
Patch x_refsource_confirm
http://www.ibm.com/support/docview.wss?uid=swg21620361
Vendor Advisory x_refsource_confirm
http://www.ibm.com/support/docview.wss?uid=swg21619604
Scores
EPSS
0.0119
EPSS Percentile
64.3%
Details
CWE
CWE-200
Status
published
Products (16)
ibm/lotus_notes
8.5.0.0
ibm/lotus_notes
8.5.0.1
ibm/lotus_notes
8.5.1
ibm/lotus_notes
8.5.1.0
ibm/lotus_notes
8.5.1.1
ibm/lotus_notes
8.5.1.2
ibm/lotus_notes
8.5.1.3
ibm/lotus_notes
8.5.1.4
ibm/lotus_notes
8.5.1.5
ibm/lotus_notes
8.5.2.0
... and 6 more
Published
Dec 19, 2012
Tracked Since
Feb 18, 2026