Publish Date: Jan. 11, 2019
SummaryWe've identified and fixed a vulnerability within a Spiceworks sub-domain that, when used alongside other potential vulnerabilities, could allow an attacker to steal users’ cookies.
Who’s Affected?At this time we do not believe anyone was impacted by this vulnerability.
DetailsA Spiceworks sub-domain that would not expect user traffic was utilizing HTTP TRACE. This is a method used for testing to see the data at the other end of a request chain. While this specific TRACE method would not normally be an issue on this sub-domain, when paired with other cross-domain vulnerabilities, an attacker could steal users’ cookies. One specific example of this type of attack is called Cross-Site Tracing, utilizing XSS and TRACE vulnerabilities.
Mitigating FactorsIn order to use this vulnerability, an attacker...