Reliance on Cookies without Validation Affecting october/rain package, versions >=1.0.319, <1.0.468


0.0
medium

Snyk CVSS

    Attack Complexity High
    User Interaction Required
    Scope Changed
    Integrity High

    Threat Intelligence

    EPSS 0.06% (24th percentile)
Expand this section
NVD
6.3 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PHP-OCTOBERRAIN-597171
  • published 2 Aug 2020
  • disclosed 2 Aug 2020
  • credit Unknown

How to fix?

Upgrade october/rain to version 1.0.468 or higher.

Overview

october/rain is an October Rain Library.

Affected versions of this package are vulnerable to Reliance on Cookies without Validation. Its encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding.

References