CVE-2022-32778
CVE-2022-32778
In short
Cookies in WWBN AVideo 11.6 are missing security flags, allowing attackers to steal session and password information through JavaScript or unencrypted connections. This could let someone hijack user accounts or access protected content.
Technical detail
The session and pass cookies lack the HttpOnly flag, making them accessible to JavaScript-based attacks (XSS). The session cookie additionally lacks the Secure flag, enabling interception over non-HTTPS channels. An attacker can exploit these missing protections to exfiltrate authentication tokens and password hashes.
Summary generated and translated by AI from the official description.
An information disclosure vulnerability exists in the cookie functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. The session cookie and the pass cookie miss the HttpOnly flag, making them accessible via JavaScript. The session cookie also misses the secure flag, which allows the session cookie to be leaked over non-HTTPS connections. This could allow an attacker to steal the session cookie via crafted HTTP requests.This vulnerability is for the pass cookie, which contains the hashed password and can be leaked via JavaScript.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
WWBN · AVideoWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →