CVE-2023-38281
MEDIUMIBM Cloud Pak System - Open Redirect
Title source: llmDescription
IBM Cloud Pak System does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
Scores
CVSS v3
5.3
EPSS
0.0004
EPSS Percentile
10.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Classification
CWE
CWE-209
Status
published
Affected Products (11)
ibm/cloud_pak_system
ibm/cloud_pak_system
ibm/cloud_pak_system
ibm/cloud_pak_system
ibm/cloud_pak_system
ibm/os_image_for_red_hat_linux_systems
ibm/os_image_for_red_hat_linux_systems
ibm/os_image_for_red_hat_linux_systems
ibm/os_image_for_red_hat_linux_systems
ibm/os_image_for_red_hat_linux_systems
ibm/os_image_for_red_hat_linux_systems
Timeline
Published
Feb 04, 2026
Tracked Since
Feb 18, 2026