{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-09-18T00:00:00", "descriptions": [{"lang": "en", "value": "Gallery before 1.5.9, and 2.x before 2.2.6, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-11T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "GLSA-200811-02", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "http://security.gentoo.org/glsa/glsa-200811-02.xml"}, {"name": "33144", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/33144"}, {"name": "32662", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/32662"}, {"name": "FEDORA-2008-11258", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00832.html"}, {"name": "20080918 menalto gallery: Session hijacking vulnerability, CVE-2008-3662", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/496509/100/0/threaded"}, {"name": "31231", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/31231"}, {"tags": ["x_refsource_MISC"], "url": "http://int21.de/cve/CVE-2008-3662-gallery.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://gallery.menalto.com/gallery_2.2.6_released"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://gallery.menalto.com/gallery_1.5.9_released"}, {"name": "20080918 menalto gallery: Session hijacking vulnerability, CVE-2008-3662", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2008/Sep/0379.html"}, {"name": "FEDORA-2008-11230", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00794.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2008-3662", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Gallery before 1.5.9, and 2.x before 2.2.6, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "GLSA-200811-02", "refsource": "GENTOO", "url": "http://security.gentoo.org/glsa/glsa-200811-02.xml"}, {"name": "33144", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/33144"}, {"name": "32662", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/32662"}, {"name": "FEDORA-2008-11258", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00832.html"}, {"name": "20080918 menalto gallery: Session hijacking vulnerability, CVE-2008-3662", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/496509/100/0/threaded"}, {"name": "31231", "refsource": "BID", "url": "http://www.securityfocus.com/bid/31231"}, {"name": "http://int21.de/cve/CVE-2008-3662-gallery.html", "refsource": "MISC", "url": "http://int21.de/cve/CVE-2008-3662-gallery.html"}, {"name": "http://gallery.menalto.com/gallery_2.2.6_released", "refsource": "CONFIRM", "url": "http://gallery.menalto.com/gallery_2.2.6_released"}, {"name": "http://gallery.menalto.com/gallery_1.5.9_released", "refsource": "CONFIRM", "url": "http://gallery.menalto.com/gallery_1.5.9_released"}, {"name": "20080918 menalto gallery: Session hijacking vulnerability, CVE-2008-3662", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2008/Sep/0379.html"}, {"name": "FEDORA-2008-11230", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00794.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T09:45:18.968Z"}, "title": "CVE Program Container", "references": [{"name": "GLSA-200811-02", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "http://security.gentoo.org/glsa/glsa-200811-02.xml"}, {"name": "33144", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/33144"}, {"name": "32662", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/32662"}, {"name": "FEDORA-2008-11258", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00832.html"}, {"name": "20080918 menalto gallery: Session hijacking vulnerability, CVE-2008-3662", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/496509/100/0/threaded"}, {"name": "31231", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/31231"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://int21.de/cve/CVE-2008-3662-gallery.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://gallery.menalto.com/gallery_2.2.6_released"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://gallery.menalto.com/gallery_1.5.9_released"}, {"name": "20080918 menalto gallery: Session hijacking vulnerability, CVE-2008-3662", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2008/Sep/0379.html"}, {"name": "FEDORA-2008-11230", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00794.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2008-3662", "datePublished": "2008-09-18T18:00:00", "dateReserved": "2008-08-12T00:00:00", "dateUpdated": "2024-08-07T09:45:18.968Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gallery:gallery:*:*:*:*:*:*:*:*", "matchCriteriaId": "F63EDF9A-1818-41D4-96EF-DFF61994C27F", "versionEndIncluding": "2.2.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallery:gallery:2.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "CAD2DDED-A01D-4026-B8C3-0DA916466D1C", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallery:gallery:2.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "D400C30B-BD93-4419-BEC2-24A470F5E473", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallery:gallery:2.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "8180C4E9-EFC9-438C-AAAF-B09B838CA17E", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallery:gallery:2.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "B2ED9F1B-D3BD-42BA-8300-6A719A577F7F", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallery:gallery:2.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "3A821D29-75FA-4A6D-BE1A-D11906FA188D", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gallery:gallery:*:*:*:*:*:*:*:*", "matchCriteriaId": "B2630CD9-31D8-4E24-B518-03D94B3383B9", "versionEndIncluding": "1.5.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Gallery before 1.5.9, and 2.x before 2.2.6, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie."}, {"lang": "es", "value": "Gallery, versiones anteriores a 1.5.9, 2.x y versiones anteriores a 2.2.6 no asigna el indicador seguro para la cookie de sesi\u00f3n en una sesi\u00f3n https, el cual puede causar que la cookie sea enviada en una petici\u00f3n http y hacer m\u00e1s f\u00e1cil a los atacantes remotos capturar esta cookie."}], "id": "CVE-2008-3662", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2008-09-18T18:00:00.390", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://gallery.menalto.com/gallery_1.5.9_released"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://gallery.menalto.com/gallery_2.2.6_released"}, {"source": "cve@mitre.org", "url": "http://int21.de/cve/CVE-2008-3662-gallery.html"}, {"source": "cve@mitre.org", "url": "http://seclists.org/fulldisclosure/2008/Sep/0379.html"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/32662"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/33144"}, {"source": "cve@mitre.org", "url": "http://security.gentoo.org/glsa/glsa-200811-02.xml"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/496509/100/0/threaded"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/31231"}, {"source": "cve@mitre.org", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00794.html"}, {"source": "cve@mitre.org", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00832.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://gallery.menalto.com/gallery_1.5.9_released"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://gallery.menalto.com/gallery_2.2.6_released"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://int21.de/cve/CVE-2008-3662-gallery.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2008/Sep/0379.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/32662"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/33144"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://security.gentoo.org/glsa/glsa-200811-02.xml"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/496509/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/31231"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00794.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00832.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-310"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "gallery2 session hijacking vulnerability", "id": "462870", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=462870"}, "csaw": false, "details": ["Gallery before 1.5.9, and 2.x before 2.2.6, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie."], "name": "CVE-2008-3662", "public_date": "2008-09-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2008-3662"], "threat_severity": "Moderate"}

{}