Main Vulnerability Database Vulnerabilities #VU41621

Information disclosure in Sametime - CVE-2013-3984

Published: May 26, 2014 / Updated: August 10, 2020

Vulnerability identifier: #VU41621

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2013-3984

CWE-ID: CWE-200

Exploitation vector: Adjecent network

Exploit availability: No public exploit available

Vendor: IBM Corporation

Affected software:
Sametime

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 does not set the secure flag for an unspecified cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.

How to mitigate CVE-2013-3984

Install update from vendor's website.

Sources

http://www-01.ibm.com/support/docview.wss?uid=swg21671201
https://exchange.xforce.ibmcloud.com/vulnerabilities/84967

Information disclosure in Sametime - CVE-2013-3984

Detailed vulnerability description

How to mitigate CVE-2013-3984

Sources

Please verify you're human