Main Vulnerability Database Vulnerabilities #VU108792

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in IBM Concert Software - CVE-2024-43180

Published: May 8, 2025

Vulnerability identifier: #VU108792

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-43180

CWE-ID: CWE-614

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: IBM Corporation

Affected software:
IBM Concert Software

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to IBM Concert does not set the secure attribute on authorization tokens or session cookies. A remote attacker can get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.

How to mitigate CVE-2024-43180

Install updates from vendor's website.

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in IBM Concert Software - CVE-2024-43180

Detailed vulnerability description

How to mitigate CVE-2024-43180

Sources

Please verify you're human