KorvinSzanto
commented
1 year ago It's also worth noting that the session cookie Concrete uses is marked as HttpOnly and not accessible via javascript. The cookie you show is unrelated to Concrete CMS.
Open KorvinSzanto opened 1 year ago
KorvinSzanto
commented
1 year ago It's also worth noting that the session cookie Concrete uses is marked as HttpOnly and not accessible via javascript. The cookie you show is unrelated to Concrete CMS.
ConcreteCMS has a security program over at https://hackerone.com/concretecms, please use that to report suspected security issues.
This specific CVE is not a vulnerability, the header tracking code's sole functionality is to allow an admin to add javascript to all pages.