CVE-2019-17104 — Centreon Does Not Set HTTPOnly Flag

Description

In Centreon VM through 19.04.3, the cookie configuration within the Apache HTTP Server does not protect against theft because the HTTPOnly flag is not set.

How to fix CVE-2019-17104

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

Packagist/centreon/centreon—no fix listed

Is CVE-2019-17104 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 19.04.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-17104
PATCHgithub.com/centreon/centreon-archived
WEBdocs.centreon.com/current/en/administration/secure-platform.html#securing-the-apache-web-server
WEBgithub.com/centreon/centreon-archived/issues/7097