Missing HtppOnly and Secure flags
Description
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability in (GTA) GoToAppliance of Secomea GateManager could allow an attacker to gain access to sensitive cookies. This issue affects: Secomea GateManager all versions prior to 9.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Sensitive cookies in Secomea GateManager (all versions prior to 9.3) lack the Secure attribute, enabling interception over cleartext connections.
Vulnerability
The vulnerability resides in the session cookie handling of Secomea GateManager. When the 'Secure' attribute is missing on cookies transmitted over HTTPS, the cookie can be sent over unencrypted HTTP connections. This affects all versions of GateManager prior to 9.3 [1]. The cookie is transmitted without the Secure flag, making it possible to leak the cookie when an HTTPS page loads resources over HTTP.
Exploitation
An attacker positioned on the network (e.g., via man-in-the-middle attack) can intercept HTTP traffic or trick the user into visiting a non-HTTPS page that triggers the insecure cookie transmission. No authentication is required; the attacker only needs to observe network traffic or perform a downgrade attack.
Impact
Successful exploitation allows the attacker to capture session cookies, potentially leading to session hijacking and unauthorized access to the GateManager web interface with the victim's privileges. This could result in disclosure of sensitive configuration data or control over managed devices.
Mitigation
Secomea has addressed the issue in GateManager version 9.3 [1]. Users should upgrade to 9.3 or later immediately. No workarounds are documented; upgrading is the only recommended mitigation.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <9.3
- Range: all
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- www.secomea.com/support/cybersecurity-advisory/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.