Pinpoint through version 3.1.0 is affected by a vulnerability where the session cookie pinpointJwt is missing the HttpOnly and Secure attributes. Without HttpOnly, JavaScript running in the browser can access the cookie via document.cookie, and without Secure, the cookie can be transmitted over unencrypted HTTP connections. This insecure cookie handling enables attackers to steal session tokens through stored or reflected cross-site scripting (XSS) attacks or by intercepting network traffic, potentially leading to session hijacking.

Attackers can access the pinpointJwt session cookie through client-side scripts or network sniffing due to missing security flags. This exposure allows theft of session tokens, enabling unauthorized session hijacking and impersonation of legitimate users. The vulnerability requires user interaction (UI:P) and has a high attack complexity (AC:H), but no privileges or authentication are needed to exploit.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, mitigate risk by ensuring the application is served over HTTPS to protect cookie transmission and by addressing any cross-site scripting vulnerabilities that could be used to steal cookies. Implementing HttpOnly and Secure flags on session cookies is recommended once a patch or configuration update is provided.