CVE-2008-7294

Google Chrome before 4.0.211.0 cannot properly restrict modifications to cookies established in HTTPS sessions, which allows man-in-the-middle attackers to overwrite or delete arbitrary cookies via a Set-Cookie header in an HTTP response, related to lack of the HTTP Strict Transport Security (HSTS) includeSubDomains feature, aka a "cookie forcing" issue.

Published: Aug 9, 2011
Updated: Apr 13, 2023
CVE: CVE-2008-7294
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5.8
AV:N/AC:M/Au:N/C:N/I:P/A:P

CWEs:

CWE-264

Affected Software
References

Software	From	Fixed in
google / chrome	2.0.172.8	2.0.172.8.x
google / chrome	0.3.154.3	0.3.154.3.x
google / chrome	3.0.182.2	3.0.182.2.x
google / chrome	0.2.149.30	0.2.149.30.x
google / chrome	0.4.154.31	0.4.154.31.x
google / chrome	-	3.0.195.38.x
google / chrome	1.0.154.39	1.0.154.39.x
google / chrome	2.0.172.38	2.0.172.38.x
google / chrome	1.0.154.59	1.0.154.59.x
google / chrome	0.2.149.27	0.2.149.27.x
google / chrome	1.0.154.53	1.0.154.53.x
google / chrome	0.4.154.33	0.4.154.33.x
google / chrome	2.0.170.0	2.0.170.0.x
google / chrome	1.0.154.43	1.0.154.43.x
google / chrome	3.0.195.2	3.0.195.2.x
google / chrome	1.0.154.42	1.0.154.42.x
google / chrome	2.0.169.1	2.0.169.1.x
google / chrome	2.0.172.33	2.0.172.33.x
google / chrome	3.0.195.24	3.0.195.24.x
google / chrome	3.0.195.33	3.0.195.33.x
google / chrome	1.0.154.52	1.0.154.52.x
google / chrome	2.0.172.27	2.0.172.27.x
google / chrome	1.0.154.65	1.0.154.65.x
google / chrome	2.0.157.2	2.0.157.2.x
google / chrome	0.1.38.4	0.1.38.4.x
google / chrome	0.4.154.18	0.4.154.18.x
google / chrome	3.0.195.27	3.0.195.27.x
google / chrome	0.2.149.29	0.2.149.29.x
google / chrome	3.0.195.25	3.0.195.25.x
google / chrome	2.0.157.0	2.0.157.0.x
google / chrome	0.2.152.1	0.2.152.1.x
google / chrome	0.3.154.0	0.3.154.0.x
google / chrome	3.0.195.36	3.0.195.36.x
google / chrome	0.2.153.1	0.2.153.1.x
google / chrome	2.0.172.2	2.0.172.2.x
google / chrome	3.0.195.21	3.0.195.21.x
google / chrome	1.0.154.64	1.0.154.64.x
google / chrome	2.0.169.0	2.0.169.0.x
google / chrome	0.1.38.1	0.1.38.1.x
google / chrome	1.0.154.36	1.0.154.36.x
google / chrome	2.0.172	2.0.172.x
google / chrome	0.1.40.1	0.1.40.1.x
google / chrome	2.0.172.30	2.0.172.30.x
google / chrome	3.0.193.2-beta	3.0.193.2-beta.x
google / chrome	0.1.42.3	0.1.42.3.x
google / chrome	2.0.156.1	2.0.156.1.x
google / chrome	3.0.195.32	3.0.195.32.x
google / chrome	0.1.42.2	0.1.42.2.x
google / chrome	1.0.154.46	1.0.154.46.x
google / chrome	3.0.190.2	3.0.190.2.x
google / chrome	0.4.154.22	0.4.154.22.x
google / chrome	2.0.159.0	2.0.159.0.x
google / chrome	2.0.158.0	2.0.158.0.x
google / chrome	2.0.172.28	2.0.172.28.x
google / chrome	2.0.172.31	2.0.172.31.x
google / chrome	1.0.154.48	1.0.154.48.x
google / chrome	0.1.38.2	0.1.38.2.x
google / chrome	2.0.172.37	2.0.172.37.x
google / chrome	3.0.195.37	3.0.195.37.x

Vulnerability Database

CVE-2008-7294

Deep Security Visibility Without the Complexity