{"api_version":"1","generated_at":"2026-04-22T23:30:35+00:00","cve":"CVE-2019-14849","urls":{"html":"https://cve.report/CVE-2019-14849","api":"https://cve.report/api/cve/CVE-2019-14849.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-14849","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-14849"},"summary":{"title":"CVE-2019-14849","description":"A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2019-12-12 14:15:00","updated_at":"2023-02-12 23:35:00"},"problem_types":["CWE-201"],"metrics":[],"references":[{"url":"https://access.redhat.com/security/cve/CVE-2019-14849","name":"https://access.redhat.com/security/cve/CVE-2019-14849","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal - Access to 24x7 support and knowledge","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1712167","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1712167","refsource":"MISC","tags":[],"title":"1712167 – (CVE-2019-14849) CVE-2019-14849 3scale: user session cookie does not set HTTPOnly","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849","name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849","refsource":"CONFIRM","tags":["Issue Tracking","Vendor Advisory"],"title":"1712167 – (CVE-2019-14849) CVE-2019-14849 3scale: user session cookie does not set HTTPOnly","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2019:2534","name":"https://access.redhat.com/errata/RHSA-2019:2534","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal - Access to 24x7 support and knowledge","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-14849","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-14849","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"14849","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"3scale","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"14849","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"3scale","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2019-14849","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-201","cweId":"CWE-201"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"3scale","version":{"version_data":[{"version_affected":"=","version_value":"n/a"}]}}]}}]}},"references":{"reference_data":[{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849","refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849"}]},"impact":{"cvss":[{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.6,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N","version":"3.0"}]}},"nvd":{"publishedDate":"2019-12-12 14:15:00","lastModifiedDate":"2023-02-12 23:35:00","problem_types":["CWE-201"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":5.4,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.3,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":3.5},"severity":"LOW","exploitabilityScore":6.8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:3scale:*:*:*:*:*:*:*:*","versionEndExcluding":"2.6","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"14849","Ordinal":"154058","Title":"CVE-2019-14849","CVE":"CVE-2019-14849","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"14849","Ordinal":"1","NoteData":"A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"14849","Ordinal":"2","NoteData":"2019-12-12","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"14849","Ordinal":"3","NoteData":"2019-12-12","Type":"Other","Title":"Modified"}]}}}