Kace Server - MIssing HttpOnly Attribute in Session Cookie"
Anyone else come across this? Security ran a scan and the K1000 and K2000 both have this vulnerabilty.
ISSUE: "Missing HttpOnly Atribute in Session Cookie"
There was some question here at my orginization about whether the 5.5 upgrade addressed it, but I didn't see any reference in the release notes or elsewhere so I don't think it was addressed.
The "Fix recommendation" is to "Add the 'HttpOnly' attribute to all session cookies. This sounds like something Kace support would have to do, but if it's a big deal and isn't already done, then I would expect it's not done for a reason.
Any info at all on this odd ball would be great.
There are no answers at this time