CVEbaza.plSłownik CWECWE-1004
Common Weakness Enumeration

CWE-1004

Sensitive Cookie Without 'HttpOnly' Flag

Kategoria: VariantCVE: 42
Opis

Produkt używa pliku cookie do przechowywania wrażliwych informacji, jednak plik cookie nie jest oznaczony flagą HttpOnly. To może umożliwić skryptom JavaScript dostęp do poufnych danych poprzez ataki XSS.

Description (EN)

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

Podatności CVE z CWE-1004 (42)
9.8
CVSS
CRITICAL
CVE-2025-26844

W systemie Znuny (do wersji 7.1.3 włącznie) ciasteczko jest ustawiane bez flagi HttpOnly, co umożliwia jego odczyt przez skrypty JavaScript. Podatność ta może prowadzić do kradzieży sesji użytkownika.

pub. 2025-05-08
8.8
CVSS
HIGH
CVE-2026-22081

This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the missing HTTPOnly flag for session cookies associated with the web-based administrative interface. A remote at-tacker could exploit this vulnerability by capturing session cookies transmitted over an insecure HTTP connection. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unau-thorized access to the targeted device.

pub. 2026-01-09
8.7
CVSS
HIGH
CVE-2025-53757

This vulnerability exists in Digisol DG-GR6821AC Router due to misconfiguration of both Secure and HttpOnly flags on session cookies associated with the router web interface. A remote attacker could exploit this vulnerability by capturing the session cookies transmitted over an unsecure HTTP connection. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information from the targeted device.

pub. 2025-07-16
8.6
CVSS
HIGH
CVE-2026-39338

ChurchCRM is an open-source church management system. Prior to 7.1.0, a Blind Reflected Cross-Site Scripting vulnerability exists in the search parameter accepted by the ChurchCRM dashboard. The application fails to sanitize or encode user-supplied input prior to rendering it within the browser's DOM. Although the application ultimately returns an HTTP 500 error due to the malformed API request caused by the payload, the browser's JavaScript engine parses and executes the injected <script> tags before the error response is returned — resulting in successful code execution regardless of the server-side error. This vulnerability is fixed in 7.1.0.

pub. 2026-04-07
8.6
CVSS
HIGH
CVE-2025-0479

This vulnerability exists in the CP Plus Router due to insecure handling of cookie flags used within its web interface. A remote attacker could exploit this vulnerability by intercepting data transmissions during an HTTP session on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and compromise the targeted system.

pub. 2025-01-20
8.1
CVSS
HIGH
CVE-2026-42239

Budibase is an open-source low-code platform. Prior to version 3.35.10, the budibase:auth cookie containing the JWT session token is set with httpOnly: false at packages/backend-core/src/utils/utils.ts:218. JavaScript can read this cookie via document.cookie. This means every XSS becomes a full account takeover — the attacker steals the JWT and has persistent access to the victim's account. The cookie also lacks secure: true (sent over plaintext HTTP) and sameSite attribute. This issue has been patched in version 3.35.10.

pub. 2026-05-07
8.1
CVSS
HIGH
CVE-2026-25136

Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. A reflected Cross-site Scripting vulnerability was located in versions prior to 35.8.3, 38.5.4, and 39.3.1 in the rendering of the ExceptionMessage of the WebUI 500 error which could allow attackers to steal login session tokens of users who navigate to a specially crafted URL. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.

pub. 2026-02-25
8.1
CVSS
HIGH
CVE-2021-42115

Missing HTTPOnly flag in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an unauthenticated remote attacker to escalate privileges from unauthenticated to authenticated user via stealing and injecting the session- independent and static cookie UID.

pub. 2021-11-30
8.0
CVSS
HIGH
CVE-2026-35575

ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting (Stored XSS) vulnerability in the admin panel’s group-creation feature allows any user with group-creation privileges to inject malicious JavaScript that executes automatically when an administrator views the page. This enables attackers to steal the administrator’s session cookies, potentially leading to full administrative account takeover. This vulnerability is fixed in 6.5.3.

pub. 2026-04-07
7.6
CVSS
HIGH
CVE-2026-57948

Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt session cookie due to missing HttpOnly and Secure attributes, enabling JavaScript access via document.cookie and cleartext transmission over HTTP. Attackers can exploit stored or reflected cross-site scripting vulnerabilities to exfiltrate the session token or intercept it through network sniffing to perform session hijacking.

pub. 2026-06-29
7.5
CVSS
HIGH
CVE-2025-27223

TRUfusion Enterprise through 7.10.4.0 exposes the encrypted COOKIEID as an authentication mechanism for some endpoints such as /trufusionPortal/getProjectList. However, the application uses a static key to create the encrypted cookie, ultimately allowing anyone to forge cookies and gain access to sensitive internal information.

pub. 2025-10-27
7.5
CVSS
HIGH
CVE-2022-21939

Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.

pub. 2023-02-09
7.5
CVSS
HIGH
CVE-2021-3706

adminlte is vulnerable to Sensitive Cookie Without 'HttpOnly' Flag

pub. 2021-09-15
7.3
CVSS
HIGH
CVE-2026-25733

Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Custom Rules function of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.

pub. 2026-02-25
7.3
CVSS
HIGH
CVE-2025-57424

A stored cross-site scripting (XSS) vulnerability exists in the MyCourts v3 application within the LTA number profile field. An attacker can insert arbitrary JavaScript into their profile, which executes in the browser of any user viewing it, including administrators. Due to the absence of the HttpOnly flag on the session cookie, this flaw could be exploited to capture session tokens and hijack user sessions, enabling elevated access.

pub. 2025-09-29
7.1
CVSS
HIGH
CVE-2020-27658

Synology Router Manager (SRM) before 1.2.4-8081 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

pub. 2020-10-29
6.9
CVSS
MEDIUM
CVE-2024-41685

This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing HTTPOnly flag for the session cookies associated with the router's web management interface. An attacker with remote access could exploit this by intercepting transmission within an HTTP session on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to capture cookies and obtain sensitive information on the targeted system.

pub. 2024-07-26
6.5
CVSS
MEDIUM
CVE-2026-0696

In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values.

pub. 2026-01-16
6.5
CVSS
MEDIUM
CVE-2021-39210

GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, the cookie used to store the autologin cookie (when a user uses the "remember me" feature) is accessible by scripts. A malicious plugin that could steal this cookie would be able to use it to autologin. This issue is fixed in version 9.5.6. As a workaround, one may avoid using the "remember me" feature.

pub. 2021-09-15
6.5
CVSS
MEDIUM
CVE-2019-8283

Hasplm cookie in Gemalto Admin Control Center, all versions prior to 7.92, does not have 'HttpOnly' flag. This allows malicious javascript to steal it.

pub. 2019-06-07
Pokazano 20 z 42 podatności
Informacje
ID: CWE-1004
Typ: Variant
Podatności: 42
MITRE CWE ↗
← Słownik CWE