CWE-565
AllowedReliance on Cookies without Validation and Integrity Checking
Abstraction: Base · Status: Incomplete
The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.
95 vulnerabilities reference this CWE, most recent first.
GHSA-7W8X-G282-6CF2
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-07-30 00:00The Vangene deltaFlow E-platform does not take properly protective measures. Attackers can obtain privileged permissions remotely by tampering with users’ data in the Cookie.
{
"affected": [],
"aliases": [
"CVE-2021-28171"
],
"database_specific": {
"cwe_ids": [
"CWE-522",
"CWE-565"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-06T12:15:00Z",
"severity": "CRITICAL"
},
"details": "The Vangene deltaFlow E-platform does not take properly protective measures. Attackers can obtain privileged permissions remotely by tampering with users\u2019 data in the Cookie.",
"id": "GHSA-7w8x-g282-6cf2",
"modified": "2022-07-30T00:00:35Z",
"published": "2022-05-24T22:28:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28171"
},
{
"type": "WEB",
"url": "https://www.chtsecurity.com/news/7f0874b5-516b-4637-842d-b6fb6c335c66"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-4618-4dcc2-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7WGV-8JV9-78P4
Vulnerability from github – Published: 2025-12-13 18:30 – Updated: 2026-04-08 18:34The JAY Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.4.01. This is due to incorrect authentication checking in the 'jay_login_register_process_switch_back' function with the 'jay_login_register_process_switch_back' cookie value. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.
{
"affected": [],
"aliases": [
"CVE-2025-14440"
],
"database_specific": {
"cwe_ids": [
"CWE-565"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-13T16:16:49Z",
"severity": "CRITICAL"
},
"details": "The JAY Login \u0026 Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.4.01. This is due to incorrect authentication checking in the \u0027jay_login_register_process_switch_back\u0027 function with the \u0027jay_login_register_process_switch_back\u0027 cookie value. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.",
"id": "GHSA-7wgv-8jv9-78p4",
"modified": "2026-04-08T18:34:01Z",
"published": "2025-12-13T18:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14440"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/jay-login-register/tags/2.4.01/includes/jay-login-register-user-switching.php#L98"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3418754"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/928877a6-eeeb-4ed5-900b-9b1560e1bf87?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-844M-CPR9-JCMH
Vulnerability from github – Published: 2021-11-15 17:54 – Updated: 2022-08-11 18:31Impact
This vulnerability impacts any Rails applications using rails_multisite alongside Rails' signed/encrypted cookies. Depending on how the application makes use of these cookies, it may be possible for an attacker to re-use cookies on different 'sites' within a multi-site Rails application.
Patches
The issue has been patched in v4 of the rails_multisite gem. Note that this upgrade will invalidate all previous signed/encrypted cookies. The impact of this invalidation will vary based on the application architecture.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rails_multisite"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-41263"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-327",
"CWE-565"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-15T17:53:35Z",
"nvd_published_at": "2021-11-15T20:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nThis vulnerability impacts any Rails applications using `rails_multisite` alongside Rails\u0027 signed/encrypted cookies. Depending on how the application makes use of these cookies, it may be possible for an attacker to re-use cookies on different \u0027sites\u0027 within a multi-site Rails application.\n\n### Patches\nThe issue has been patched in v4 of the `rails_multisite` gem. Note that this upgrade will invalidate all previous signed/encrypted cookies. The impact of this invalidation will vary based on the application architecture.",
"id": "GHSA-844m-cpr9-jcmh",
"modified": "2022-08-11T18:31:09Z",
"published": "2021-11-15T17:54:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/discourse/rails_multisite/security/advisories/GHSA-844m-cpr9-jcmh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41263"
},
{
"type": "WEB",
"url": "https://github.com/discourse/rails_multisite/commit/c6785cdb5c9277dd2c5ac8d55180dd1ece440ed0"
},
{
"type": "PACKAGE",
"url": "https://github.com/discourse/rails_multisite"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails_multisite/CVE-2021-41263.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "Rails Multisite secure/signed cookies share secrets between sites in a multi-site application"
}
GHSA-84XP-5PQJ-58WV
Vulnerability from github – Published: 2022-05-24 22:00 – Updated: 2022-10-14 12:00Linear eMerge 50P/5000P devices allow Authentication Bypass.
{
"affected": [],
"aliases": [
"CVE-2019-7266"
],
"database_specific": {
"cwe_ids": [
"CWE-565"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-02T17:15:00Z",
"severity": "CRITICAL"
},
"details": "Linear eMerge 50P/5000P devices allow Authentication Bypass.",
"id": "GHSA-84xp-5pqj-58wv",
"modified": "2022-10-14T12:00:25Z",
"published": "2022-05-24T22:00:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7266"
},
{
"type": "WEB",
"url": "https://applied-risk.com/labs/advisories"
},
{
"type": "WEB",
"url": "https://www.applied-risk.com/resources/ar-2019-006"
},
{
"type": "WEB",
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-184-01"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/155250/Linear-eMerge50P-5000P-4.6.07-Remote-Code-Execution.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8C7C-H7PX-267G
Vulnerability from github – Published: 2026-05-22 00:31 – Updated: 2026-06-24 21:13Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be configured in such a way that both public and private surveys are present on the site. An unauthenticated attacker can vote in the restricted survey by submitting the restricted optionID through the public survey’s endpoint.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "concrete5/concrete5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-8337"
],
"database_specific": {
"cwe_ids": [
"CWE-565"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-24T21:13:47Z",
"nvd_published_at": "2026-05-21T22:16:50Z",
"severity": "MODERATE"
},
"details": "Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys.\u00a0To be vulnerable, a\u00a0site would have to be configured in such a way that both public and private surveys are present on the site. An\u00a0unauthenticated attacker can vote in the restricted survey by submitting the restricted optionID through the public survey\u2019s endpoint.",
"id": "GHSA-8c7c-h7px-267g",
"modified": "2026-06-24T21:13:47Z",
"published": "2026-05-22T00:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8337"
},
{
"type": "WEB",
"url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes"
},
{
"type": "PACKAGE",
"url": "https://github.com/concretecms/concretecms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Concrete CMS is vulnerable to IDOR in surveys"
}
GHSA-8F96-86FJ-W39W
Vulnerability from github – Published: 2022-07-26 00:00 – Updated: 2022-08-03 00:00IBM Security Verify Information Queue 10.0.2 could disclose sensitive information due to a missing or insecure SameSite attribute for a sensitive cookie. IBM X-Force ID: 230811.
{
"affected": [],
"aliases": [
"CVE-2022-35284"
],
"database_specific": {
"cwe_ids": [
"CWE-565"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-25T18:23:00Z",
"severity": "HIGH"
},
"details": "IBM Security Verify Information Queue 10.0.2 could disclose sensitive information due to a missing or insecure SameSite attribute for a sensitive cookie. IBM X-Force ID: 230811.",
"id": "GHSA-8f96-86fj-w39w",
"modified": "2022-08-03T00:00:57Z",
"published": "2022-07-26T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35284"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/230811"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6606663"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8P8W-FW4M-CFJ7
Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2022-12-03 00:30IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by the improper setting of a cookie. IBM X-Force ID: 160951.
{
"affected": [],
"aliases": [
"CVE-2019-4305"
],
"database_specific": {
"cwe_ids": [
"CWE-565"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-30T16:15:00Z",
"severity": "MODERATE"
},
"details": "IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by the improper setting of a cookie. IBM X-Force ID: 160951.",
"id": "GHSA-8p8w-fw4m-cfj7",
"modified": "2022-12-03T00:30:21Z",
"published": "2022-05-24T16:57:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4305"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/160951"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/960171"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8PGC-65MJ-53H5
Vulnerability from github – Published: 2024-07-19 06:31 – Updated: 2024-10-31 17:02Versions of the package github.com/gitpod-io/gitpod/components/server/go/pkg/lib before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/components/ws-proxy/pkg/proxy before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/auth before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/public-api-server before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/server before main-gha.27122; versions of the package @gitpod/gitpod-protocol before 0.1.5-main-gha.27122 are vulnerable to Cookie Tossing due to a missing __Host- prefix on the gitpod_io_jwt2 session cookie. This allows an adversary who controls a subdomain to set the value of the cookie on the Gitpod control plane, which can be assigned to an attacker’s own JWT so that specific actions taken by the victim (such as connecting a new Github organization) are actioned by the attackers session.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/gitpod-io/gitpod"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-21583"
],
"database_specific": {
"cwe_ids": [
"CWE-15",
"CWE-565"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-06T22:05:52Z",
"nvd_published_at": "2024-07-19T05:15:10Z",
"severity": "MODERATE"
},
"details": "Versions of the package github.com/gitpod-io/gitpod/components/server/go/pkg/lib before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/components/ws-proxy/pkg/proxy before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/auth before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/public-api-server before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/pkg/components/server before main-gha.27122; versions of the package @gitpod/gitpod-protocol before 0.1.5-main-gha.27122 are vulnerable to Cookie Tossing due to a missing __Host- prefix on the _gitpod_io_jwt2_ session cookie. This allows an adversary who controls a subdomain to set the value of the cookie on the Gitpod control plane, which can be assigned to an attacker\u2019s own JWT so that specific actions taken by the victim (such as connecting a new Github organization) are actioned by the attackers session.",
"id": "GHSA-8pgc-65mj-53h5",
"modified": "2024-10-31T17:02:51Z",
"published": "2024-07-19T06:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21583"
},
{
"type": "WEB",
"url": "https://github.com/gitpod-io/gitpod/pull/19973"
},
{
"type": "WEB",
"url": "https://github.com/gitpod-io/gitpod/commit/da1053e1013f27a56e6d3533aa251dbd241d0155"
},
{
"type": "WEB",
"url": "https://app.safebase.io/portal/71ccd717-aa2d-4a1e-942e-c768d37e9e0c/preview?product=%5B%E2%80%A6%5D942e-c768d37e9e0c\u0026tcuUid=1d505bda-9a38-4ca5-8724-052e6337f34d"
},
{
"type": "PACKAGE",
"url": "https://github.com/gitpod-io/gitpod"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2024-2997"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSSERVERGOPKGLIB-7452074"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODCOMPONENTSWSPROXYPKGPROXY-7452075"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSAUTH-7452076"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSPUBLICAPISERVER-7452077"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGITPODIOGITPODINSTALLINSTALLERPKGCOMPONENTSSERVER-7452078"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-GITPODGITPODPROTOCOL-7452079"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "github.com/gitpod-io/gitpod vulnerable to Cookie Tossing"
}
GHSA-8WXH-J3RH-HQ7G
Vulnerability from github – Published: 2025-03-17 06:30 – Updated: 2025-03-17 06:30The U-Office Force from e-Excellence has an Improper Authentication vulnerability, allowing unauthenticated remote attackers to use a particular API and alter cookies to log in as an administrator.
{
"affected": [],
"aliases": [
"CVE-2025-2395"
],
"database_specific": {
"cwe_ids": [
"CWE-565"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-17T06:15:25Z",
"severity": "CRITICAL"
},
"details": "The U-Office Force from e-Excellence has an Improper Authentication vulnerability, allowing unauthenticated remote attackers to use a particular API and alter cookies to log in as an administrator.",
"id": "GHSA-8wxh-j3rh-hq7g",
"modified": "2025-03-17T06:30:25Z",
"published": "2025-03-17T06:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2395"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-10012-d5bbc-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-10011-3de72-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9C86-QQFM-5HF3
Vulnerability from github – Published: 2024-04-19 00:30 – Updated: 2024-04-19 00:30The device allows an unauthenticated attacker to bypass authentication and modify the cookie to reveal hidden pages that allows more critical operations to the transmitter.
{
"affected": [],
"aliases": [
"CVE-2024-21872"
],
"database_specific": {
"cwe_ids": [
"CWE-565"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-18T23:15:07Z",
"severity": "HIGH"
},
"details": "\nThe device allows an unauthenticated attacker to bypass authentication \nand modify the cookie to reveal hidden pages that allows more critical \noperations to the transmitter.\n\n",
"id": "GHSA-9c86-qqfm-5hf3",
"modified": "2024-04-19T00:30:54Z",
"published": "2024-04-19T00:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21872"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Avoid using cookie data for a security-related decision.
Mitigation
Perform thorough input validation (i.e.: server side validation) on the cookie data if you're going to use it for a security related decision.
Mitigation
Add integrity checks to detect tampering.
Mitigation
Protect critical cookies from replay attacks, since cross-site scripting or other attacks may allow attackers to steal a strongly-encrypted cookie that also passes integrity checks. This mitigation applies to cookies that should only be valid during a single transaction or session. By enforcing timeouts, you may limit the scope of an attack. As part of your integrity check, use an unpredictable, server-side value that is not exposed to the client.
CAPEC-226: Session Credential Falsification through Manipulation
An attacker manipulates an existing credential in order to gain access to a target application. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. An attacker may be able to manipulate a credential sniffed from an existing connection in order to gain access to a target server.
CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies
This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.
CAPEC-39: Manipulating Opaque Client-based Data Tokens
In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.