CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
EPSS
Percentile
73.8%
Mozilla Firefox before 4 cannot properly restrict modifications to cookies
established in HTTPS sessions, which allows man-in-the-middle attackers to
overwrite or delete arbitrary cookies via a Set-Cookie header in an HTTP
response, related to lack of the HTTP Strict Transport Security (HSTS)
includeSubDomains feature, aka a “cookie forcing” issue.
michael-coates.blogspot.com/2010/01/cookie-forcing-trust-your-cookies-no.html
scarybeastsecurity.blogspot.com/2008/11/cookie-forcing.html
scarybeastsecurity.blogspot.com/2011/02/some-less-obvious-benefits-of-hsts.html
launchpad.net/bugs/cve/CVE-2008-7293
nvd.nist.gov/vuln/detail/CVE-2008-7293
security-tracker.debian.org/tracker/CVE-2008-7293
www.cve.org/CVERecord?id=CVE-2008-7293