amphp/artax Cookie leakage to wrong origins and non-restricted cookie acceptance
Moderate severity
GitHub Reviewed
Published
May 15, 2024
to the GitHub Advisory Database
•
Updated May 15, 2024
Description
Published to the GitHub Advisory Database
May 15, 2024
Reviewed
May 15, 2024
Last updated
May 15, 2024
In artax version before 1.0.6 and 2 before 2.0.6, cookies of
foo.bar.example.com
were leaked tofoo.bar
. Additionally, any site could set cookies for any other site.Artax fixed this issue by following newer browser implementations now. Cookies can only be set on domains higher or equal to the current domain, but not on any public suffixes.
References