Total
43 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-8037 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-07-28 | 9.1 Critical |
| Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the `Secure` attribute. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1. | ||||
| CVE-2025-53757 | 2025-07-16 | N/A | ||
| This vulnerability exists in Digisol DG-GR6821AC Router due to misconfiguration of both Secure and HttpOnly flags on session cookies associated with the router web interface. A remote attacker could exploit this vulnerability by capturing the session cookies transmitted over an unsecure HTTP connection. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information from the targeted device. | ||||
| CVE-2024-28770 | 1 Ibm | 2 Security Directory Integrator, Security Verify Directory Integrator | 2025-07-14 | 4.8 Medium |
| IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. | ||||
| CVE-2024-28771 | 1 Ibm | 2 Security Directory Integrator, Security Verify Directory Integrator | 2025-07-14 | 4.8 Medium |
| IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. | ||||
| CVE-2025-27450 | 2025-07-03 | 6.5 Medium | ||
| The Secure attribute is missing on multiple cookies provided by the MEAC300-FNADE4. An attacker can trick a user to establish an unencrypted HTTP connection to the server and intercept the request containing the PHPSESSID cookie. | ||||
| CVE-2025-36026 | 1 Ibm | 2 Datacap, Datacap Navigator | 2025-07-01 | 4.3 Medium |
| IBM Datacap 9.1.7, 9.1.8, and 9.1.9 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. | ||||
| CVE-2024-10718 | 1 Phpipam | 1 Phpipam | 2025-06-27 | 7.5 High |
| In phpipam/phpipam version 1.5.1, the Secure attribute for sensitive cookies in HTTPS sessions is not set. This could cause the user agent to send those cookies in plaintext over an HTTP session, potentially exposing sensitive information. The issue is fixed in version 1.7.0. | ||||
| CVE-2024-55897 | 1 Ibm | 2 I, Powerha System Mirror | 2025-06-20 | 4.3 Medium |
| IBM PowerHA SystemMirror for i 7.4 and 7.5 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. | ||||
| CVE-2024-30142 | 1 Hcltech | 1 Bigfix Compliance | 2025-06-17 | 3.8 Low |
| HCL BigFix Compliance is affected by a missing secure flag on a cookie. If a secure flag is not set, cookies may be stolen by an attacker using XSS, resulting in unauthorized access or session cookies could be transferred over an unencrypted channel. | ||||
| CVE-2022-3251 | 1 Ikus-soft | 1 Minarca | 2025-05-28 | 5.3 Medium |
| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/minarca prior to 4.2.2. | ||||
| CVE-2022-3250 | 1 Ikus-soft | 1 Rdiffweb | 2025-05-28 | 5.3 Medium |
| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.6. | ||||
| CVE-2023-33860 | 1 Ibm | 1 Security Qradar Edr | 2025-05-19 | 5.3 Medium |
| IBM Security QRadar EDR 3.12 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. | ||||
| CVE-2024-0349 | 1 Engineers Online Portal Project | 1 Engineers Online Portal | 2025-04-17 | 3.7 Low |
| A vulnerability was found in SourceCodester Engineers Online Portal 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to sensitive cookie without secure attribute. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-250117 was assigned to this vulnerability. | ||||
| CVE-2022-4409 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-04-14 | 7.5 High |
| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.1.9. | ||||
| CVE-2022-4683 | 1 Usememos | 1 Memos | 2025-04-09 | 6.5 Medium |
| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository usememos/memos prior to 0.9.0. | ||||
| CVE-2023-0055 | 1 Pyload | 1 Pyload | 2025-04-09 | 5.3 Medium |
| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository pyload/pyload prior to 0.5.0b3.dev32. | ||||
| CVE-2024-39734 | 1 Ibm | 1 Datacap | 2025-03-25 | 4.3 Medium |
| IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 296001. | ||||
| CVE-2022-21940 | 1 Johnsoncontrols | 1 Metasys System Configuration Tool | 2025-03-24 | 7.5 High |
| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie. | ||||
| CVE-2022-25151 | 1 Itarian | 2 On-premise, Saas Service Desk | 2025-03-11 | 7.5 High |
| Within the Service Desk module of the ITarian platform (SAAS and on-premise), a remote attacker can obtain sensitive information, caused by the failure to set the HTTP Only flag. A remote attacker could exploit this vulnerability to gain access to the management interface by using this vulnerability in combination with a successful Cross-Site Scripting attack on a user. | ||||
| CVE-2025-24390 | 2025-02-12 | 6.8 Medium | ||
| A vulnerability in OTRS Application Server and reverse proxy settings allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X | ||||