3Scale
CVE-2019-14849
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information.
AnalysisAI
A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-201. A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information. Affected products include: Redhat 3Scale. Version information: version 2.6.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
It was found that all versions of 3Scale developer portal lacked brute force protections. Rated high severity (CVSS 7.3)
A NULL pointer dereference flaw was found in the Linux kernel's SELinux subsystem in versions before 5.7. Rated medium s
A vulnerability was found in 3Scale, when used with Keycloak 15 (or RHSSO 7.5.0) and superiors. Rated medium severity (C
Share
External POC / Exploit Code
Leaving vuln.today