On Sat, Jan 26, 2019 at 5:26 PM wrote:
>
> Would that mean if the server, if accessable only by
> https://guacamole.domain.com/something/
> and http was blocked. it would be ok? in this case?
>
Yes.
There would only be a danger of the session token being intercepted if
unencrypted HTTP
rg,
secur...@guacamole.apache.org
Date: 01/23/19 05:21 PM
Subject: [SECURITY] CVE-2018-1340: Secure flag missing from Apache
Guacamole session cookie
CVE-2018-1340: Secure flag missing from Apache Guacamole session cookie
Versions affected:
Apache Guacamole 0.9.4 through 0.9.14
Descript
CVE-2018-1340: Secure flag missing from Apache Guacamole session cookie
Versions affected:
Apache Guacamole 0.9.4 through 0.9.14
Description:
Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage
of the user's session token. This cookie lacked the "secure" flag,
which could