CWE-1275
AllowedSensitive Cookie with Improper SameSite Attribute
Abstraction: Variant · Status: Incomplete
The SameSite attribute for sensitive cookies is not set, or an insecure value is used.
35 vulnerabilities reference this CWE, most recent first.
GHSA-FV45-RWVX-GXXG
Vulnerability from github – Published: 2026-02-03 21:31 – Updated: 2026-02-03 21:31HCL AION is affected by a Cookie with Insecure, Improper, or Missing SameSite vulnerability. This can allow cookies to be sent in cross-site requests, potentially increasing exposure to cross-site request forgery and related security risks. This issue affects AION: 2.0.
{
"affected": [],
"aliases": [
"CVE-2025-52628"
],
"database_specific": {
"cwe_ids": [
"CWE-1275"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-03T19:16:12Z",
"severity": "MODERATE"
},
"details": "HCL AION is affected by a Cookie with Insecure, Improper, or Missing SameSite vulnerability. This can allow cookies to be sent in cross-site requests, potentially increasing exposure to cross-site request forgery and related security risks. This issue affects AION: 2.0.",
"id": "GHSA-fv45-rwvx-gxxg",
"modified": "2026-02-03T21:31:50Z",
"published": "2026-02-03T21:31:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52628"
},
{
"type": "WEB",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0127972"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-GQQ5-V4CW-9926
Vulnerability from github – Published: 2023-07-06 03:30 – Updated: 2024-04-04 05:25Improper configuration in Samsung Internet prior to version 21.0.0.41 allows attacker to bypass SameSite Cookie.
{
"affected": [],
"aliases": [
"CVE-2023-30674"
],
"database_specific": {
"cwe_ids": [
"CWE-1275"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-06T03:15:12Z",
"severity": "MODERATE"
},
"details": "Improper configuration in Samsung Internet prior to version 21.0.0.41 allows attacker to bypass SameSite Cookie.",
"id": "GHSA-gqq5-v4cw-9926",
"modified": "2024-04-04T05:25:46Z",
"published": "2023-07-06T03:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30674"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2023\u0026month=07"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HR59-Q2GM-7HRJ
Vulnerability from github – Published: 2024-07-09 15:30 – Updated: 2024-07-16 18:31A nested iframe, triggering a cross-site navigation, could send SameSite=Strict or Lax cookies. This vulnerability affects Firefox < 128.
{
"affected": [],
"aliases": [
"CVE-2024-6611"
],
"database_specific": {
"cwe_ids": [
"CWE-1275"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-09T15:15:13Z",
"severity": "CRITICAL"
},
"details": "A nested iframe, triggering a cross-site navigation, could send SameSite=Strict or Lax cookies. This vulnerability affects Firefox \u003c 128.",
"id": "GHSA-hr59-q2gm-7hrj",
"modified": "2024-07-16T18:31:42Z",
"published": "2024-07-09T15:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6611"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1844827"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-29"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-32"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MPQ2-MV8P-9WM6
Vulnerability from github – Published: 2026-05-22 00:31 – Updated: 2026-06-24 21:18Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "concrete5/concrete5"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0RC1"
},
{
"fixed": "9.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-8413"
],
"database_specific": {
"cwe_ids": [
"CWE-1275",
"CWE-352"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-24T21:18:09Z",
"nvd_published_at": "2026-05-21T22:16:51Z",
"severity": "LOW"
},
"details": "Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design.",
"id": "GHSA-mpq2-mv8p-9wm6",
"modified": "2026-06-24T21:18:31Z",
"published": "2026-05-22T00:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8413"
},
{
"type": "WEB",
"url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes"
},
{
"type": "PACKAGE",
"url": "https://github.com/concretecms/concretecms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design"
}
GHSA-XMFQ-XM97-G58P
Vulnerability from github – Published: 2025-11-25 15:31 – Updated: 2025-12-01 15:30IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1 could disclose sensitive information due to a missing or insecure SameSite attribute for a sensitive cookie.
{
"affected": [],
"aliases": [
"CVE-2025-36134"
],
"database_specific": {
"cwe_ids": [
"CWE-1275"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-25T15:15:51Z",
"severity": "LOW"
},
"details": "IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1\u00a0could disclose sensitive information due to a missing or insecure SameSite attribute for a sensitive cookie.",
"id": "GHSA-xmfq-xm97-g58p",
"modified": "2025-12-01T15:30:16Z",
"published": "2025-11-25T15:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36134"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7252210"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Set the SameSite attribute of a sensitive cookie to 'Lax' or 'Strict'. This instructs the browser to apply this cookie only to same-domain requests, which provides a good Defense in Depth against CSRF attacks. When the 'Lax' value is in use, cookies are also sent for top-level cross-domain navigation via HTTP GET, HEAD, OPTIONS, and TRACE methods, but not for other HTTP methods that are more like to cause side-effects of state mutation.
CAPEC-62: Cross Site Request Forgery
An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply "riding" the existing session cookie.