CVE-2023-33860 is a medium-severity vulnerability affecting IBM Security QRadar EDR version 3.12. The issue arises because the product does not set the 'Secure' attribute on authorization tokens or session cookies. The 'Secure' attribute is a flag that instructs browsers to only send cookies over HTTPS connections, preventing their exposure over unencrypted HTTP traffic. Without this attribute, session cookies can be transmitted over insecure HTTP connections if a user follows a crafted HTTP link or visits a malicious site that triggers such a request. An attacker who can intercept this HTTP traffic (e.g., via a man-in-the-middle attack on an unsecured network) can capture these cookies and potentially hijack user sessions or gain unauthorized access. This vulnerability is classified under CWE-614 (Sensitive Cookie in HTTPS Session Without 'Secure' Attribute), which highlights the risk of cookie exposure due to improper cookie attribute configuration. The CVSS 3.1 base score is 5.3 (medium), reflecting that the attack vector is network-based, requires no privileges or user interaction, and impacts confidentiality only, without affecting integrity or availability. No known exploits are currently reported in the wild, but the vulnerability presents a realistic risk in environments where users might be tricked into accessing HTTP links or where network traffic can be intercepted. Since QRadar EDR is a security monitoring and incident detection platform, compromising session cookies could allow attackers to access sensitive security data or manipulate detection capabilities, undermining organizational security posture.

For European organizations using IBM Security QRadar EDR 3.12, this vulnerability could lead to unauthorized access to security monitoring consoles if attackers successfully capture session cookies. This exposure risks confidentiality of sensitive security event data, potentially allowing attackers to evade detection or manipulate incident response processes. The impact is particularly significant for organizations in critical infrastructure sectors, finance, government, and large enterprises that rely on QRadar EDR for threat detection and response. Given the medium severity and the requirement for interception of HTTP traffic, the risk is higher in environments where users access management consoles over insecure networks or where phishing/social engineering could direct users to HTTP links. The vulnerability does not directly affect system integrity or availability but compromises the confidentiality of session tokens, which can have cascading effects on security operations. European organizations with strict data protection regulations (e.g., GDPR) must consider the risk of unauthorized access to security logs and incident data as a compliance concern.

1. Immediate mitigation involves ensuring that all access to IBM Security QRadar EDR consoles and related web interfaces is strictly over HTTPS, with HTTP access disabled or redirected to HTTPS to prevent cookie transmission over insecure channels. 2. IBM or administrators should apply patches or configuration updates that explicitly set the 'Secure' attribute on all session and authorization cookies to enforce secure transmission. 3. Network-level protections such as enforcing HTTPS via web application firewalls (WAFs), secure reverse proxies, or SSL/TLS termination points can help mitigate risks. 4. User education to avoid clicking on HTTP links related to QRadar EDR and to verify URLs before access can reduce phishing risks. 5. Implement network segmentation and VPN usage for accessing management consoles to reduce exposure to man-in-the-middle attacks. 6. Monitor logs for suspicious session activity that could indicate session hijacking attempts. 7. Regularly review and update security policies to enforce secure cookie handling and session management best practices.