It is discovered that Magento reveals HTTPOnly admin session cookie in the response of successful file upload in admin. Because the response content type is JSON, it is possible that attacker can steal admin session cookie by exploiting any XSS present in admin panel. Vulnerable file upload sections are in CMS, Catalog and Downloadable modules.
Type: Privilege Escalation & Enumeration: Broken Authentication and Session Management
CVSSv3 Severity: N/A
Known Attacks: None
Product(s) Affected: Magento 2.1 prior to 2.1.15, Magento 2.2 prior to 2.2.6
Fixed In: Magento 2.1.15, Magento 2.2.6