Vulnerability Description
noVNC before 0.5 does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
CVSS Score
4.3
MEDIUM
AV:N/AC:M/Au:N/C:P/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kanaka | Novnc | 0.4 |
Related Weaknesses (CWE)
References
- http://rhn.redhat.com/errata/RHSA-2015-0788.html
- http://rhn.redhat.com/errata/RHSA-2015-0833.html
- http://rhn.redhat.com/errata/RHSA-2015-0834.html
- http://rhn.redhat.com/errata/RHSA-2015-0884.html
- http://www.openwall.com/lists/oss-security/2015/02/17/1
- http://www.openwall.com/lists/oss-security/2015/03/12/13
- https://bugzilla.redhat.com/show_bug.cgi?id=1193451
- https://github.com/kanaka/noVNC/commit/ad941faddead705cd611921730054767a0b32dcd
- http://rhn.redhat.com/errata/RHSA-2015-0788.html
- http://rhn.redhat.com/errata/RHSA-2015-0833.html
- http://rhn.redhat.com/errata/RHSA-2015-0834.html
- http://rhn.redhat.com/errata/RHSA-2015-0884.html
- http://www.openwall.com/lists/oss-security/2015/02/17/1
- http://www.openwall.com/lists/oss-security/2015/03/12/13
- https://bugzilla.redhat.com/show_bug.cgi?id=1193451
FAQ
What is CVE-2013-7436?
CVE-2013-7436 is a vulnerability with a CVSS score of 4.3 (MEDIUM). noVNC before 0.5 does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http sessio...
How severe is CVE-2013-7436?
CVE-2013-7436 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-7436?
Check the references section above for vendor advisories and patch information. Affected products include: Kanaka Novnc.