Description
The Secure flag is not set in the SSL Cookie of Kiwi Syslog Server 9.7.2 and previous versions. The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP, there is a potential for the cookie can be sent in clear text.
References (2)
Core 2
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://documentation.solarwinds.com/en/success_center/kss/content/release_notes/kss_9-8_release_notes.htm
Vendor Advisory x_refsource_misc
https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35236
Scores
CVSS v3
3.1
EPSS
0.0050
EPSS Percentile
38.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Details
CWE
CWE-614
CWE-311
Status
published
Products (1)
solarwinds/kiwi_syslog_server
< 9.7.2
Published
Oct 27, 2021
Tracked Since
Feb 18, 2026