Required CVE Record Information
Description
Gallery before 1.5.9, and 2.x before 2.2.6, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
References 11 Total
- security.gentoo.org: GLSA-200811-02 vendor-advisory
- secunia.com: 33144 third-party-advisory
- secunia.com: 32662 third-party-advisory
- redhat.com: FEDORA-2008-11258 vendor-advisory
- securityfocus.com: 20080918 menalto gallery: Session hijacking vulnerability, CVE-2008-3662 mailing-list
- securityfocus.com: 31231 vdb-entry
- http://int21.de/cve/CVE-2008-3662-gallery.html
- http://gallery.menalto.com/gallery_2.2.6_released
- http://gallery.menalto.com/gallery_1.5.9_released
- seclists.org: 20080918 menalto gallery: Session hijacking vulnerability, CVE-2008-3662 mailing-list
- redhat.com: FEDORA-2008-11230 vendor-advisory
Updated:
This container includes required additional information provided by the CVE Program for this vulnerability.
References 11 Total
- security.gentoo.org: GLSA-200811-02 vendor-advisoryx_transferred
- secunia.com: 33144 third-party-advisoryx_transferred
- secunia.com: 32662 third-party-advisoryx_transferred
- redhat.com: FEDORA-2008-11258 vendor-advisoryx_transferred
- securityfocus.com: 20080918 menalto gallery: Session hijacking vulnerability, CVE-2008-3662 mailing-listx_transferred
- securityfocus.com: 31231 vdb-entryx_transferred
- http://int21.de/cve/CVE-2008-3662-gallery.html x_transferred
- http://gallery.menalto.com/gallery_2.2.6_released x_transferred
- http://gallery.menalto.com/gallery_1.5.9_released x_transferred
- seclists.org: 20080918 menalto gallery: Session hijacking vulnerability, CVE-2008-3662 mailing-listx_transferred
- redhat.com: FEDORA-2008-11230 vendor-advisoryx_transferred