CVE-2019-14849
MEDIUM3scale < 2.6 - Session Cookie Information Disclosure via Missing HTTPOnly Attribute
Title source: llmDescription
A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information.
References (1)
Core 1
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849
Scores
CVSS v3
5.4
EPSS
0.0031
EPSS Percentile
54.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-201
CWE-79
Status
published
Products (1)
redhat/3scale
< 2.6
Published
Dec 12, 2019
Tracked Since
Feb 18, 2026