21 matches found
CVE-2026-49977
tarteaucitron.js before version 1.33.0 is vulnerable: tarteaucitron.cookie.purge() runs on any element with purgeBtn without verifying the element or the cookie’s service, allowing an attacker who can inject HTML with data-cookie attributes to silently delete a non-HttpOnly cookie when a user cli...
Improper Authorization
tarteaucitron is vulnerable to Improper Authorization. The vulnerability is due to insufficient validation of HTML data attributes used for cookie deletion, which allows an attacker to craft malicious elements that trick users into unintentionally deleting cookies when clicked...
tarteaucitron: data-cookie attribute can be used to delete arbitrary cookies
Summary tarteaucitron provides a list of cookies and buttons to delete them. If an attacker can write HTML with data attributes, they could create an element that silently deletes a cookie when clicked and trick a user to delete this cookie. Details tarteaucitron.cookie.purge is called on any...
GHSA-JXJ7-G6GM-49J7 tarteaucitron: data-cookie attribute can be used to delete arbitrary cookies
Summary tarteaucitron provides a list of cookies and buttons to delete them. If an attacker can write HTML with data attributes, they could create an element that silently deletes a cookie when clicked and trick a user to delete this cookie. Details tarteaucitron.cookie.purge is called on any...
Improper Authorization
Overview tarteaucitronjs is a package that provides compliance to the European cookie law. Affected versions of this package are vulnerable to Improper Authorization via the purgeBtn process. An attacker can cause unintended deletion of arbitrary cookies by tricking a user into clicking a crafted...
PT-2026-57232
Name of the Vulnerable Software and Affected Versions tarteaucitron.js versions prior to 1.33.0 Description The software fails to verify if an element is a legitimate button or if the associated cookie belongs to a handled service when calling the tarteaucitron.cookie.purge function on elements...
DRUPAL-CONTRIB-2026-040
This module enables sites to comply with the European cookie law using tarteaucitron.js. The module doesn't sufficiently filter user-supplied markup inside of content leading to an attacker being able to delete arbitrary cookies. This vulnerability is mitigated by the fact that an attacker needs ...
PT-2026-46080
This module enables sites to comply with the European cookie law using tarteaucitron.js. The module doesn't sufficiently filter user-supplied markup inside of content leading to an attacker being able to delete arbitrary cookies. This vulnerability is mitigated by the fact that an attacker needs ...
TacJS - Moderately critical - Improper Access Control - SA-CONTRIB-2026-040
This module enables sites to comply with the European cookie law using tarteaucitron.js. The module doesn't sufficiently filter user-supplied markup inside of content leading to an attacker being able to delete arbitrary cookies. This vulnerability is mitigated by the fact that an attacker needs ...
EUVD-2009-5040
Malware in sbrugna...
BIT-ENVOY-2025-55162 Envoy: oAuth2 Filter Signout route will not clear cookies because of missing "secure;" flag
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In versions below 1.32.10 and 1.33.0 through 1.33.6, 1.34.0 through 1.34.4 and 1.35.0, insufficient Session Expiration in the Envoy OAuth2 filter leads to failed logout operations. Whe...
CVE-2025-55162 Envoy: oAuth2 Filter Signout route will not clear cookies because of missing "secure;" flag
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In versions below 1.32.10 and 1.33.0 through 1.33.6, 1.34.0 through 1.34.4 and 1.35.0, insufficient Session Expiration in the Envoy OAuth2 filter leads to failed logout operations. Whe...
CVE-2025-55162 Envoy: oAuth2 Filter Signout route will not clear cookies because of missing "secure;" flag
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In versions below 1.32.10 and 1.33.0 through 1.33.6, 1.34.0 through 1.34.4 and 1.35.0, insufficient Session Expiration in the Envoy OAuth2 filter leads to failed logout operations. Whe...
CVE-2025-55162
CVE-2025-55162 affects Envoy (OAuth2 filter). The issue is insufficient Session Expiration: when cookie names are __Secure- or __Host-, the filter fails to add the Secure attribute to the Set-Cookie header during deletion, causing cookies to persist and enabling session hijacking on shared machin...
CVE-2025-55162 Envoy: oAuth2 Filter Signout route will not clear cookies because of missing "secure;" flag
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In versions below 1.32.10 and 1.33.0 through 1.33.6, 1.34.0 through 1.34.4 and 1.35.0, insufficient Session Expiration in the Envoy OAuth2 filter leads to failed logout operations. Whe...
Envoy 代码问题漏洞
Envoy is an Enphase open source gateway program for connecting smart home devices. A code issue vulnerability exists in Envoy, which stems from the OAuth2 filter omitting the Secure attribute when deleting session cookies with the Secure-/Host- prefix, resulting in the browser rejecting the delet...
Piwigo 'ws_session_logout' function security bypass vulnerability
Piwigo is a web-based photo album software from the Piwigo team. The software supports photo publishing, management, multiple browsing options categories, tags, time and more. A security vulnerability exists in the 'wssessionlogout' function in Piwigo 2.9.1 and earlier versions, which stems from...
ZaoCMS - 'download.php' Remote File Disclosure
-------------------------------------------------------------- ZaoCMS Remote File Disclosure Vulnerability --------------------------------------------------------------- Founder :ThE g0bL!N Home:http://www.zaocms.com/ Software : ZaoCMS Note: The OperatIon Worked By Deleting Your Cookies From The...
Have JIRA delete cookie when user authentication fails
I would like to suggest that if JIRA loads the user details id and password from a cookie and attempts to authenticate and fails then JIRA should delete the cookie. The logic behind this is: We are using LDAP for authentication to Novell's NDS and if a user gets JIRA to remember their id and...
Have JIRA delete cookie when user authentication fails
I would like to suggest that if JIRA loads the user details id and password from a cookie and attempts to authenticate and fails then JIRA should delete the cookie. The logic behind this is: We are using LDAP for authentication to Novell's NDS and if a user gets JIRA to remember their id and...