CVE-2020-15767

MEDIUM Year: 2020
CVSS v3 Score
5.3
Medium
CVSS v2 Score
2.6
Low
Weakness Type
CWE-311
View all →

Vulnerability Description

An issue was discovered in Gradle Enterprise before 2020.2.5. The cookie used to convey the CSRF prevention token is not annotated with the “secure” attribute, which allows an attacker with the ability to MITM plain HTTP requests to obtain it, if the user mistakenly uses a HTTP instead of HTTPS address to access the server. This cookie value could then be used to perform CSRF.

Related Vulnerabilities

CVE-2015-0558

MEDIUM
CVSS:5.3(Medium)

The ADB (formerly Pirelli Broadband Solutions) P.DGA4001N router with firmware PDG_TEF_SP_4.06L.6, and possibly other routers, uses "1236790" and the MAC address to generate the WPA key.

CWE-3112015

CVE-2018-17563

MEDIUM
CVSS:5.3(Medium)

A Malformed Input String to /cgi-bin/api-get_line_status on Grandstream GXP16xx VoIP 1.0.4.128 phones allows attackers to dump the device's configuration in cleartext.

CWE-3112018

CVE-2018-5482

MEDIUM
CVSS:5.3(Medium)

NetApp SnapCenter Server prior to 4.1 does not set the secure flag for a sensitive cookie in an HTTPS session which can allow the transmission of the cookie in plain text over an unencrypted channel.

CWE-3112018

CVE-2018-6976

MEDIUM
CVSS:5.3(Medium)

The VMware Content Locker for iOS prior to 4.14 contains a data protection vulnerability in the SQLite database. This vulnerability relates to unencrypted filenames and associated metadata in SQLite d...

CWE-3112018

CVE-2019-19464

MEDIUM
CVSS:5.3(Medium)

The CBC Gem application before 9.24.1 for Android and before 9.26.0 for iOS has Unencrypted Analytics.

CWE-3112019

CVE-2019-4471

MEDIUM
CVSS:5.3(Medium)

IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to obtain sensitive information, caused by the failure to set the secure flag for a sensitive cookie in an HTTPS session. A remote atta...

CWE-3112019