Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2009-3566

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2009-3566
Last Modified 05 Jan 2012 12:00:00
Published 13 Nov 2009 10:30:00
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2009-3566

Summary

McAfee IntruShield Network Security Manager (NSM) before 5.1.11.8.1 does not include the HTTPOnly flag in the Set-Cookie header for the session identifier, which allows remote attackers to hijack a session by leveraging a cross-site scripting (XSS) vulnerability.

Vulnerable Systems

Application

  • Mcafee Intrushield Network Security Manager 5.1.7.7

  • Mcafee Intrushield Network Security Manager 5.1.7.73

  • Mcafee Intrushield Network Security Manager 5.1.7.74


References

CONFIRM - https://kc.mcafee.com/corporate/index?page=content&id=SB10005

XF - nsm-httponly-session-hijacking(54251)

VUPEN - ADV-2009-3226

BID - 37004

BUGTRAQ - 20091111 [SWRX-2009-002] McAfee Network Security Manager Authentication Bypass and Session Hijacking Vulnerability

MISC - http://www.secureworks.com/ctu/advisories/SWRX-2009-002

OSVDB - 59912

SECTRACK - 1023172

SECUNIA - 37178


Last Updated: 27 May 2016 10:58:00