Lucene search
+L

21 matches found

CVE
CVE
added 2 days ago38 views

CVE-2026-49977

tarteaucitron.js before version 1.33.0 is vulnerable: tarteaucitron.cookie.purge() runs on any element with purgeBtn without verifying the element or the cookie’s service, allowing an attacker who can inject HTML with data-cookie attributes to silently delete a non-HttpOnly cookie when a user cli...

4.3CVSS5.3AI score0.00349EPSS
Exploits0References4
Veracode
Veracode
added 3 days ago6 views

Improper Authorization

tarteaucitron is vulnerable to Improper Authorization. The vulnerability is due to insufficient validation of HTML data attributes used for cookie deletion, which allows an attacker to craft malicious elements that trick users into unintentionally deleting cookies when clicked...

4.3CVSS5.3AI score0.00349EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/10 4:5 p.m.10 views

tarteaucitron: data-cookie attribute can be used to delete arbitrary cookies

Summary tarteaucitron provides a list of cookies and buttons to delete them. If an attacker can write HTML with data attributes, they could create an element that silently deletes a cookie when clicked and trick a user to delete this cookie. Details tarteaucitron.cookie.purge is called on any...

4.3CVSS6.1AI score0.00349EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/07/10 4:5 p.m.1 views

GHSA-JXJ7-G6GM-49J7 tarteaucitron: data-cookie attribute can be used to delete arbitrary cookies

Summary tarteaucitron provides a list of cookies and buttons to delete them. If an attacker can write HTML with data attributes, they could create an element that silently deletes a cookie when clicked and trick a user to delete this cookie. Details tarteaucitron.cookie.purge is called on any...

4.3CVSS6.1AI score0.00349EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/10 4:5 p.m.6 views

Improper Authorization

Overview tarteaucitronjs is a package that provides compliance to the European cookie law. Affected versions of this package are vulnerable to Improper Authorization via the purgeBtn process. An attacker can cause unintended deletion of arbitrary cookies by tricking a user into clicking a crafted...

5.3CVSS6.2AI score0.00349EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/10 12:0 a.m.18 views

PT-2026-57232

Name of the Vulnerable Software and Affected Versions tarteaucitron.js versions prior to 1.33.0 Description The software fails to verify if an element is a legitimate button or if the associated cookie belongs to a handled service when calling the tarteaucitron.cookie.purge function on elements...

4.3CVSS5.2AI score0.00349EPSS
Exploits0References6
OSV
OSV
added 2026/06/03 4:11 p.m.9 views

DRUPAL-CONTRIB-2026-040

This module enables sites to comply with the European cookie law using tarteaucitron.js. The module doesn't sufficiently filter user-supplied markup inside of content leading to an attacker being able to delete arbitrary cookies. This vulnerability is mitigated by the fact that an attacker needs ...

4.3CVSS5.9AI score0.00349EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/03 12:0 a.m.12 views

PT-2026-46080

This module enables sites to comply with the European cookie law using tarteaucitron.js. The module doesn't sufficiently filter user-supplied markup inside of content leading to an attacker being able to delete arbitrary cookies. This vulnerability is mitigated by the fact that an attacker needs ...

5.9AI score
Exploits0References2
Drupal
Drupal
added 2026/06/03 12:0 a.m.17 views

TacJS - Moderately critical - Improper Access Control - SA-CONTRIB-2026-040

This module enables sites to comply with the European cookie law using tarteaucitron.js. The module doesn't sufficiently filter user-supplied markup inside of content leading to an attacker being able to delete arbitrary cookies. This vulnerability is mitigated by the fact that an attacker needs ...

5.9AI score0.00349EPSS
Exploits0References2
EUVD
EUVD
added 2025/10/07 12:30 a.m.3 views

EUVD-2009-5040

Malware in sbrugna...

2.6CVSS6.4AI score0.01122EPSS
Exploits0References3
OSV
OSV
added 2025/09/09 5:40 a.m.9 views

BIT-ENVOY-2025-55162 Envoy: oAuth2 Filter Signout route will not clear cookies because of missing "secure;" flag

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In versions below 1.32.10 and 1.33.0 through 1.33.6, 1.34.0 through 1.34.4 and 1.35.0, insufficient Session Expiration in the Envoy OAuth2 filter leads to failed logout operations. Whe...

8.8CVSS6.8AI score0.0031EPSS
Exploits1References3
Cvelist
Cvelist
added 2025/09/03 7:51 p.m.26 views

CVE-2025-55162 Envoy: oAuth2 Filter Signout route will not clear cookies because of missing "secure;" flag

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In versions below 1.32.10 and 1.33.0 through 1.33.6, 1.34.0 through 1.34.4 and 1.35.0, insufficient Session Expiration in the Envoy OAuth2 filter leads to failed logout operations. Whe...

6.3CVSS0.0031EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2025/09/03 7:51 p.m.2 views

CVE-2025-55162 Envoy: oAuth2 Filter Signout route will not clear cookies because of missing "secure;" flag

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In versions below 1.32.10 and 1.33.0 through 1.33.6, 1.34.0 through 1.34.4 and 1.35.0, insufficient Session Expiration in the Envoy OAuth2 filter leads to failed logout operations. Whe...

6.3CVSS6.3AI score0.0031EPSS
Exploits1References2
CVE
CVE
added 2025/09/03 7:51 p.m.25 views

CVE-2025-55162

CVE-2025-55162 affects Envoy (OAuth2 filter). The issue is insufficient Session Expiration: when cookie names are __Secure- or __Host-, the filter fails to add the Secure attribute to the Set-Cookie header during deletion, causing cookies to persist and enabling session hijacking on shared machin...

8.8CVSS6.3AI score0.0031EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2025/09/03 7:51 p.m.6 views

CVE-2025-55162 Envoy: oAuth2 Filter Signout route will not clear cookies because of missing "secure;" flag

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In versions below 1.32.10 and 1.33.0 through 1.33.6, 1.34.0 through 1.34.4 and 1.35.0, insufficient Session Expiration in the Envoy OAuth2 filter leads to failed logout operations. Whe...

6.3CVSS6.6AI score0.0031EPSS
Exploits1References4
CNNVD
CNNVD
added 2025/09/03 12:0 a.m.7 views

Envoy 代码问题漏洞

Envoy is an Enphase open source gateway program for connecting smart home devices. A code issue vulnerability exists in Envoy, which stems from the OAuth2 filter omitting the Secure attribute when deleting session cookies with the Secure-/Host- prefix, resulting in the browser rejecting the delet...

8.8CVSS6.7AI score0.0031EPSS
Exploits1References3
CNVD
CNVD
added 2017/06/27 12:0 a.m.4 views

Piwigo 'ws_session_logout' function security bypass vulnerability

Piwigo is a web-based photo album software from the Piwigo team. The software supports photo publishing, management, multiple browsing options categories, tags, time and more. A security vulnerability exists in the 'wssessionlogout' function in Piwigo 2.9.1 and earlier versions, which stems from...

7.2AI score
Exploits0References1
Exploit DB
Exploit DB
added 2009/05/21 12:0 a.m.35 views

ZaoCMS - 'download.php' Remote File Disclosure

-------------------------------------------------------------- ZaoCMS Remote File Disclosure Vulnerability --------------------------------------------------------------- Founder :ThE g0bL!N Home:http://www.zaocms.com/ Software : ZaoCMS Note: The OperatIon Worked By Deleting Your Cookies From The...

7.4AI score
Exploits0
Atlassian
Atlassian
added 2002/08/26 1:28 a.m.21 views

Have JIRA delete cookie when user authentication fails

I would like to suggest that if JIRA loads the user details id and password from a cookie and attempts to authenticate and fails then JIRA should delete the cookie. The logic behind this is: We are using LDAP for authentication to Novell's NDS and if a user gets JIRA to remember their id and...

0.3AI score
Exploits0Affected Software1
Atlassian
Atlassian
added 2002/08/26 1:28 a.m.24 views

Have JIRA delete cookie when user authentication fails

I would like to suggest that if JIRA loads the user details id and password from a cookie and attempts to authenticate and fails then JIRA should delete the cookie. The logic behind this is: We are using LDAP for authentication to Novell's NDS and if a user gets JIRA to remember their id and...

0.3AI score
Exploits0Affected Software1
Rows per page
Query Builder