Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in instantsoft/icms2

Vulnerability

In instantsoft/icms2 prior to version 2.16.1, the session cookie set during HTTPS sessions does not include the Secure attribute. The cookie configuration in setCookie() explicitly sets 'secure' => false [2], even when the protocol is HTTPS. This affects all authentication-related operations, including login and logout, where session regeneration was also absent. The fix in commit ca5f150 [1] corrects this by setting 'secure' => cmsConfig::isSecureProtocol() and adding session regeneration on login, logout, and auto-login.

Exploitation

An attacker with network access (e.g., on a shared Wi-Fi or through a man-in-the-middle position) can intercept the session cookie if the user is redirected to an HTTP page or if the initial request is made over an insecure connection. The cookie, lacking the Secure flag, is transmitted over unencrypted HTTP, allowing the attacker to capture it and replay it to impersonate the victim's session.

Impact

Successful exploitation leads to session hijacking. An attacker can gain unauthorized access to the victim's authenticated session, potentially leading to disclosure of sensitive data, modification of user settings, or other actions within the application context as the victim. The severity is elevated because the vulnerability affects all HTTPS sessions served by the application.

Mitigation

The vulnerability is fixed in icms2 version 2.16.1, released on 2023-08-31. Users should upgrade immediately. There is no known workaround; applying the vendor-supplied patch is the recommended mitigation. The issue is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.