CVE-2024-10718
Published: 20 March 2025
Summary
CVE-2024-10718 is a high-severity Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (CWE-614) vulnerability in Phpipam Phpipam. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-8 (Transmission Confidentiality and Integrity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Establishes and enforces configuration settings that require the Secure attribute on sensitive cookies, directly preventing their transmission over unencrypted HTTP connections.
Requires timely identification, reporting, and correction of the phpIPAM flaw missing the Secure cookie attribute, as remediated in version 1.7.0.
Protects the confidentiality of transmitted sensitive information like session cookies, mitigating exposure even if sessions downgrade to HTTP.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability causes sensitive cookies to be sent over plaintext HTTP, enabling network sniffing (T1040), web session cookie theft (T1539), and adversary-in-the-middle attacks (T1557).
NVD Description
In phpipam/phpipam version 1.5.1, the Secure attribute for sensitive cookies in HTTPS sessions is not set. This could cause the user agent to send those cookies in plaintext over an HTTP session, potentially exposing sensitive information. The issue is fixed…
more
in version 1.7.0.
Deeper analysisAI
CVE-2024-10718 is a vulnerability in phpipam/phpipam version 1.5.1, an open-source IP address management application. The issue arises because the Secure attribute is not set on sensitive cookies during HTTPS sessions, which can lead user agents to transmit those cookies in plaintext over HTTP connections, potentially exposing sensitive information. This flaw corresponds to CWE-614 (Sensitive Cookie in HTTPS Session Without 'Secure' Attribute) and CWE-319 (Cleartext Transmission of Sensitive Information), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
The vulnerability can be exploited by any network attacker with low complexity and no privileges or user interaction required. An adversary positioned to observe traffic could capture sensitive cookies if a victim's browser downgrades to an HTTP session, such as through interception on unsecured networks. Successful exploitation enables high-impact confidentiality violations by disclosing cookie contents, which may include session tokens or other sensitive data.
Mitigation is provided in phpipam/phpipam version 1.7.0, where the Secure attribute is properly implemented, as detailed in the fix commit at https://github.com/phpipam/phpipam/commit/ddf70ef6801442eb8b0be5eea829e470e653c70e. Security practitioners should upgrade affected installations to version 1.7.0 or later. Further details are available in the Huntr.dev bounty report at https://huntr.com/bounties/725bce8f-328f-4fbc-acf5-46ea920cd3c1.
Details
- CWE(s)