CVE-2022-38846
MEDIUMEspoCRM 7.1.8 - Cleartext Transmission of Sensitive Information via Missing Secure Flag
Title source: llmDescription
EspoCRM version 7.1.8 is vulnerable to Missing Secure Flag allowing the browser to send plain text cookies over an insecure channel (HTTP). An attacker may capture the cookie from the insecure channel using MITM attack.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://medium.com/cybersecurity-valuelabs/espocrm-7-1-8-is-vulnerable-to-missing-secure-flag-1664bac5ffe4
Scores
CVSS v3
5.9
EPSS
0.0041
EPSS Percentile
32.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-319
Status
published
Products (1)
espocrm/espocrm
7.1.8
Published
Sep 16, 2022
Tracked Since
Feb 18, 2026