CVE-2018-10813

Published: Jun 5, 2018

Modified: Aug 5, 2024

PUBLISHED

Description

In Dedos-web 1.0, the cookie and session secrets used in the Express.js application have hardcoded values that are visible in the source code published on GitHub. An attacker can edit the contents of the session cookie and re-sign it using the hardcoded secret. Due to the use of Passport.js, this could lead to privilege escalation.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://www.digitalinterruption.com/single-post/2018/06/04/Are-Your-Cookies-Telling-Your-Fortune

x_refsource_MISC

https://github.com/aprendecondedos/dedos-web/pull/1

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2018-10813

Description

Affected Products

References