CVE-2024-6741

Openfinds Mail2000 has a vulnerability that allows the HttpOnly flag to be bypassed. Unauthenticated remote attackers can exploit this vulnerability using specific JavaScript code to obtain the session cookie with the HttpOnly flag enabled.

Weakness

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Affected Software

Name	Vendor	Start Version	End Version
Mail2000	Openfind	7.0 (including)	7.0 (including)
Mail2000	Openfind	8.0 (including)	8.0 (including)

https://cwe.mitre.org/data/definitions/1.html
https://cwe.mitre.org/data/definitions/107.html
https://cwe.mitre.org/data/definitions/127.html
https://cwe.mitre.org/data/definitions/17.html
https://cwe.mitre.org/data/definitions/20.html
https://cwe.mitre.org/data/definitions/22.html
https://cwe.mitre.org/data/definitions/237.html
https://cwe.mitre.org/data/definitions/36.html
https://cwe.mitre.org/data/definitions/477.html
https://cwe.mitre.org/data/definitions/480.html
https://cwe.mitre.org/data/definitions/51.html
https://cwe.mitre.org/data/definitions/57.html
https://cwe.mitre.org/data/definitions/59.html
https://cwe.mitre.org/data/definitions/65.html
https://cwe.mitre.org/data/definitions/668.html
https://cwe.mitre.org/data/definitions/74.html
https://cwe.mitre.org/data/definitions/87.html

References

https://www.openfind.com.tw/taiwan/download/Openfind_OF-ISAC-24-007.pdf
https://www.twcert.org.tw/en/cp-139-7941-b66e7-2.html
https://www.twcert.org.tw/tw/cp-132-7940-0177a-1.html
https://www.openfind.com.tw/taiwan/download/Openfind_OF-ISAC-24-007.pdf
https://www.twcert.org.tw/en/cp-139-7941-b66e7-2.html
https://www.twcert.org.tw/tw/cp-132-7940-0177a-1.html

NVD	https://nvd.nist.gov/vuln/detail/CVE-2024-6741
CWE	https://cwe.mitre.org/data/definitions/693.html

Protection Mechanism Failure

Weakness

Affected Software

Related Attack Patterns

References