CVE-2008-7296

Published Aug 9, 2011

Last updated 12 years ago

Overview

Description
Apple Safari cannot properly restrict modifications to cookies established in HTTPS sessions, which allows man-in-the-middle attackers to overwrite or delete arbitrary cookies via a Set-Cookie header in an HTTP response, related to lack of the HTTP Strict Transport Security (HSTS) includeSubDomains feature, aka a "cookie forcing" issue.
Source
cve@mitre.org
NVD status
Analyzed

Risk scores

CVSS 2.0

Type
Primary
Base score
5.8
Impact score
4.9
Exploitability score
8.6
Vector string
AV:N/AC:M/Au:N/C:N/I:P/A:P

Weaknesses

nvd@nist.gov
CWE-264

Social media

Hype score
Not currently trending

Configurations