CVE-2024-30155
HCL SX is susceptible to cookie with Insecure, Improper, or Missing SameSite attribute vulnerability
In short
HCL SX fails to properly protect its session cookies, making them vulnerable to theft through cross-site attacks. An attacker could potentially hijack a user's session if they visit a malicious website while logged in.
Technical detail
The application does not set the SameSite attribute on authorization and session cookies, enabling Cross-Site Request Forgery (CSRF) attacks. An attacker can craft malicious requests from third-party sites to trigger unauthorized actions on behalf of an authenticated user, or intercept cookie values depending on browser behavior.
Summary generated and translated by AI from the official description.
HCL SX does not set the secure attribute on authorization tokens or session cookies. Attackers may potentially be able to obtain access to the cookie values via a Cross-Site-Forgery-Request (CSRF).
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected products
HCL Software · HCL SXWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →