The cookie does not contain the "secure" attribute.
I've your last version of ISPCONFIG, and the PCI SCAN show this: For example: https://web03.efimatica.com:8080/index.php
Threat:
The cookie does not contain the "secure" attribute.
Based on the latest release of the PCI-DSS, this vulnerability is a PCI Fail. PCI-DSSv3.1 requirement 6.5.10 is focused on secure session management, and refers to session cookies needing to have the "secure" attribute set within the Cardholder Data Environment. Refer to PCI-DSSv3.1 for details.
Impact:
Cookies with the "secure" attribute are only permitted to be sent via HTTPS. Session cookies sent via HTTP expose an unsuspecting user to sniffing attacks that could lead to user impersonation or compromise of the application account. Solution:
If the associated risk of a compromised account is high, apply the "secure" attribute to cookies and force all sensitive requests to be sent via HTTPS. Result:
url: https://195.235.59.171:8080/ Payload: N/A matched: PHPSESSID=l70vt4ik36feakh9liighafkj0; path=/; domain=195.235.59.171