CWE-614
AllowedSensitive Cookie in HTTPS Session Without 'Secure' Attribute
Abstraction: Variant · Status: Draft
The Secure attribute for sensitive cookies in HTTPS sessions is not set.
115 vulnerabilities reference this CWE, most recent first.
GHSA-5453-99CG-PJH9
Vulnerability from github – Published: 2025-07-03 12:34 – Updated: 2025-07-03 12:34The Secure attribute is missing on multiple cookies provided by the MEAC300-FNADE4. An attacker can trick a user to establish an unencrypted HTTP connection to the server and intercept the request containing the PHPSESSID cookie.
{
"affected": [],
"aliases": [
"CVE-2025-27450"
],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-03T12:15:22Z",
"severity": "MODERATE"
},
"details": "The Secure attribute is missing on multiple cookies provided by the MEAC300-FNADE4. An attacker can trick a user to establish an unencrypted HTTP connection to the server and intercept the request containing the PHPSESSID cookie.",
"id": "GHSA-5453-99cg-pjh9",
"modified": "2025-07-03T12:34:58Z",
"published": "2025-07-03T12:34:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27450"
},
{
"type": "WEB",
"url": "https://sick.com/psirt"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"type": "WEB",
"url": "https://www.endress.com"
},
{
"type": "WEB",
"url": "https://www.first.org/cvss/calculator/3.1"
},
{
"type": "WEB",
"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.json"
},
{
"type": "WEB",
"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5FCF-3M52-F3Q5
Vulnerability from github – Published: 2025-10-31 15:30 – Updated: 2025-10-31 15:30IBM Jazz for Service Management 1.1.3.0 through 1.1.3.25 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
{
"affected": [],
"aliases": [
"CVE-2025-36249"
],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-31T13:15:33Z",
"severity": "LOW"
},
"details": "IBM Jazz for Service Management 1.1.3.0 through 1.1.3.25 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.",
"id": "GHSA-5fcf-3m52-f3q5",
"modified": "2025-10-31T15:30:31Z",
"published": "2025-10-31T15:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36249"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7249820"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5J35-XR4G-VWF4
Vulnerability from github – Published: 2026-03-25 17:32 – Updated: 2026-03-25 17:32Impact
The session cookie is set with HttpOnly; SameSite=Lax; Path=/ but does not include the Secure flag. This means the cookie will be sent over plain HTTP connections.
Since the server binds to 127.0.0.1 by default and uses HTTP (not HTTPS), this is acceptable for localhost use. However, when --allow-network is used to bind to 0.0.0.0, cookies could be transmitted over insecure network connections and intercepted by an attacker.
Affected code:
- packages/server/src/session.ts:76 — cookie string lacks ; Secure attribute
Patches
0.70.5
Fix: Conditionally add ; Secure when served over HTTPS or when --allow-network is enabled:
const securePart = isHttps ? "; Secure" : "";
return `${SESSION_COOKIE_NAME}=${cookieValue}; HttpOnly; SameSite=Lax; Path=/${securePart}; Max-Age=${maxAge}`;
Workarounds
Do not use --allow-network over untrusted networks without a TLS-terminating reverse proxy.
Resources
- OWASP: Secure Cookie Attribute
- File:
packages/server/src/session.ts
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.70.4"
},
"package": {
"ecosystem": "npm",
"name": "@grackle-ai/server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.70.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-25T17:32:39Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Impact\n\nThe session cookie is set with `HttpOnly; SameSite=Lax; Path=/` but does not include the `Secure` flag. This means the cookie will be sent over plain HTTP connections.\n\nSince the server binds to `127.0.0.1` by default and uses HTTP (not HTTPS), this is acceptable for localhost use. However, when `--allow-network` is used to bind to `0.0.0.0`, cookies could be transmitted over insecure network connections and intercepted by an attacker.\n\n**Affected code:**\n- `packages/server/src/session.ts:76` \u2014 cookie string lacks `; Secure` attribute\n\n### Patches\n\n0.70.5\n\n**Fix:** Conditionally add `; Secure` when served over HTTPS or when `--allow-network` is enabled:\n```typescript\nconst securePart = isHttps ? \"; Secure\" : \"\";\nreturn `${SESSION_COOKIE_NAME}=${cookieValue}; HttpOnly; SameSite=Lax; Path=/${securePart}; Max-Age=${maxAge}`;\n```\n\n### Workarounds\n\nDo not use `--allow-network` over untrusted networks without a TLS-terminating reverse proxy.\n\n### Resources\n\n- OWASP: Secure Cookie Attribute\n- File: `packages/server/src/session.ts`",
"id": "GHSA-5j35-xr4g-vwf4",
"modified": "2026-03-25T17:32:39Z",
"published": "2026-03-25T17:32:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nick-pape/grackle/security/advisories/GHSA-5j35-xr4g-vwf4"
},
{
"type": "PACKAGE",
"url": "https://github.com/nick-pape/grackle"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "@grackle-ai/server has a Missing Secure Flag on Session Cookie"
}
GHSA-74C8-V93W-3C2C
Vulnerability from github – Published: 2022-06-10 00:00 – Updated: 2022-06-17 00:01Within the Service Desk module of the ITarian platform (SAAS and on-premise), a remote attacker can obtain sensitive information, caused by the failure to set the HTTP Only flag. A remote attacker could exploit this vulnerability to gain access to the management interface by using this vulnerability in combination with a successful Cross-Site Scripting attack on a user.
{
"affected": [],
"aliases": [
"CVE-2022-25151"
],
"database_specific": {
"cwe_ids": [
"CWE-614",
"CWE-732"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-09T17:15:00Z",
"severity": "HIGH"
},
"details": "Within the Service Desk module of the ITarian platform (SAAS and on-premise), a remote attacker can obtain sensitive information, caused by the failure to set the HTTP Only flag. A remote attacker could exploit this vulnerability to gain access to the management interface by using this vulnerability in combination with a successful Cross-Site Scripting attack on a user.",
"id": "GHSA-74c8-v93w-3c2c",
"modified": "2022-06-17T00:01:28Z",
"published": "2022-06-10T00:00:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25151"
},
{
"type": "WEB",
"url": "https://csirt.divd.nl/CVE-2022-25151"
},
{
"type": "WEB",
"url": "https://csirt.divd.nl/DIVD-2021-00037"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-75J3-GFF7-55X3
Vulnerability from github – Published: 2025-01-27 03:30 – Updated: 2025-01-27 03:30IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
{
"affected": [],
"aliases": [
"CVE-2024-28770"
],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-27T02:15:28Z",
"severity": "MODERATE"
},
"details": "IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.",
"id": "GHSA-75j3-gff7-55x3",
"modified": "2025-01-27T03:30:26Z",
"published": "2025-01-27T03:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28770"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7161444"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7CVP-JXJH-QVVF
Vulnerability from github – Published: 2026-04-01 21:30 – Updated: 2026-04-01 21:30IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
{
"affected": [],
"aliases": [
"CVE-2026-4820"
],
"database_specific": {
"cwe_ids": [
"CWE-319",
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-01T21:17:02Z",
"severity": "MODERATE"
},
"details": "IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.",
"id": "GHSA-7cvp-jxjh-qvvf",
"modified": "2026-04-01T21:30:32Z",
"published": "2026-04-01T21:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4820"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7268028"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7V85-4VQ6-66GQ
Vulnerability from github – Published: 2023-11-02 18:30 – Updated: 2023-11-02 18:30A vulnerability has been identified in PT-G503 Series firmware versions prior to v5.2, where the Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the cookie to be transmitted in plaintext over an HTTP session. The vulnerability may lead to security risks, potentially exposing user session data to unauthorized access and manipulation.
{
"affected": [],
"aliases": [
"CVE-2023-5035"
],
"database_specific": {
"cwe_ids": [
"CWE-319",
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-02T17:15:11Z",
"severity": "LOW"
},
"details": "A vulnerability has been identified in PT-G503 Series firmware versions prior to v5.2, where the Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the cookie to be transmitted in plaintext over an HTTP session. The vulnerability may lead to security risks, potentially exposing user session data to unauthorized access and manipulation.\n\n",
"id": "GHSA-7v85-4vq6-66gq",
"modified": "2023-11-02T18:30:25Z",
"published": "2023-11-02T18:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5035"
},
{
"type": "WEB",
"url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-230203-pt-g503-series-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8255-QF34-44MP
Vulnerability from github – Published: 2022-05-13 01:40 – Updated: 2024-04-23 22:56Mautic prior to 2.1.1 fails to set flags on session cookies
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "mautic/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-1000046"
],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-23T22:56:43Z",
"nvd_published_at": "2017-07-17T13:18:00Z",
"severity": "HIGH"
},
"details": "Mautic prior to 2.1.1 fails to set flags on session cookies",
"id": "GHSA-8255-qf34-44mp",
"modified": "2024-04-23T22:56:43Z",
"published": "2022-05-13T01:40:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000046"
},
{
"type": "WEB",
"url": "https://github.com/mautic/mautic/issues/1969"
},
{
"type": "WEB",
"url": "https://github.com/mautic/mautic/pull/2311"
},
{
"type": "WEB",
"url": "https://github.com/mautic/mautic/pull/2311/commits/f9e7981f4acf0d37fd935c9b9d5d09d7e1a49bc6"
},
{
"type": "PACKAGE",
"url": "https://github.com/mautic/mautic"
},
{
"type": "WEB",
"url": "https://www.trustmatta.com/advisories/MATTA-2017-002.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Sensitive Cookie Without HttpOnly and Secure Flag"
}
GHSA-8M29-G8HW-C32W
Vulnerability from github – Published: 2024-11-07 09:30 – Updated: 2024-11-07 09:30HCL BigFix Compliance is affected by a missing secure flag on a cookie. If a secure flag is not set, cookies may be stolen by an attacker using XSS, resulting in unauthorized access or session cookies could be transferred over an unencrypted channel.
{
"affected": [],
"aliases": [
"CVE-2024-30142"
],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-07T09:15:03Z",
"severity": "LOW"
},
"details": "HCL BigFix Compliance is affected by a missing secure flag on a cookie. If a secure flag is not set, cookies may be stolen by an attacker using XSS, resulting in unauthorized access or session cookies could be transferred over an unencrypted channel.",
"id": "GHSA-8m29-g8hw-c32w",
"modified": "2024-11-07T09:30:43Z",
"published": "2024-11-07T09:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30142"
},
{
"type": "WEB",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0117197"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-8QCX-87FJ-RCVF
Vulnerability from github – Published: 2024-02-09 03:33 – Updated: 2024-02-09 03:33IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.8 and 6.1.0.0 through 6.1.2.3 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 265559.
{
"affected": [],
"aliases": [
"CVE-2023-42016"
],
"database_specific": {
"cwe_ids": [
"CWE-319",
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-09T01:15:08Z",
"severity": "MODERATE"
},
"details": "IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.8 and 6.1.0.0 through 6.1.2.3 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 265559.",
"id": "GHSA-8qcx-87fj-rcvf",
"modified": "2024-02-09T03:33:10Z",
"published": "2024-02-09T03:33:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42016"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/265559"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7116083"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Always set the secure attribute when the cookie should be sent via HTTPS only.
CAPEC-102: Session Sidejacking
Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.