Reliance on Cookies without Validation Affecting october/rain package, versions >=1.0.319, <1.0.468
Snyk CVSS
Attack Complexity
High
User Interaction
Required
Scope
Changed
Integrity
High
Threat Intelligence
EPSS
0.06% (24th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-OCTOBERRAIN-597171
- published 2 Aug 2020
- disclosed 2 Aug 2020
- credit Unknown
Introduced: 2 Aug 2020
CVE-2020-15128 Open this link in a new tabHow to fix?
Upgrade october/rain
to version 1.0.468 or higher.
Overview
october/rain is an October Rain Library.
Affected versions of this package are vulnerable to Reliance on Cookies without Validation. Its encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding.