47 matches found
CVE-2025-52608
HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root...
CVE-2025-52608 HCL iControl was affected by Missing Cookie Attributes vulnerability.
HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root...
EUVD-2025-210061
HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root...
CVE-2025-52608
The CVE-2025-52608 entry concerns HCL iControl with Missing Cookie Attributes: cookies lack Secure and SameSite flags and have root path. Affected component is the web application’s session cookies; root path configuration and missing security attributes are cited as the underlying issue. The pro...
CVE-2025-52608 HCL iControl was affected by Missing Cookie Attributes vulnerability.
HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root...
CVE-2025-52608
HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root...
PT-2026-46184
HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root...
JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection
Summary js-cookie's internal assign helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "proto" member is an own enumerable property, so the for…in enumerates it and the targetkey = sourcekey write triggers the...
GHSA-QJX8-664M-686J JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection
Summary js-cookie's internal assign helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "proto" member is an own enumerable property, so the for…in enumerates it and the targetkey = sourcekey write triggers the...
PT-2026-42640
Summary js-cookie's internal assign helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's " proto " member is an own enumerable property, so the for…in enumerates it and the targetkey = sourcekey write triggers the...
PT-2026-42689
Summary js-cookie's internal assign helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's " proto " member is an own enumerable property, so the for…in enumerates it and the targetkey = sourcekey write triggers the...
Amazon Linux 2 : python3-tornado, --advisory ALAS2-2026-3287 (ALAS-2026-3287)
The version of python3-tornado installed on the remote host is prior to 5.0.2-4. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3287 advisory. In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to...
OESA-2026-1903 python-tornado security update
Tornado is an open source version of the scalable, non-blocking web server and tools. Security Fixes: Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers where it could be used for header...
CVE-2026-35536
A flaw was found in Tornado. A remote attacker could exploit this vulnerability by injecting specially crafted characters into the domain, path, and samesite arguments when setting cookies. This could lead to cookie attribute injection, potentially allowing for information disclosure or...
SUSE-SU-2026:1171-1 Security update for python-tornado
This update for python-tornado fixes the following issues: - CVE-2026-31958: parsing large multipart bodies with many parts can cause a denial of service bsc1259553. - incomplete validation of cookie attributes allows for injection of user-controlled values in other cookie attributes bsc1259630...
SUSE-SU-2026:20761-1 Security update for python-tornado6
This update for python-tornado6 fixes the following issues: - CVE-2026-31958: parsing large multipart bodies with many parts can cause a denial of service bsc1259553. - incomplete validation of cookie attributes allows for injection of user-controlled values in other cookie attributes bsc1259630...
SUSE-SU-2026:20919-1 Security update for python-tornado6
This update for python-tornado6 fixes the following issues: - CVE-2026-31958: parsing large multipart bodies with many parts can cause a denial of service bsc1259553. - incomplete validation of cookie attributes allows for injection of user-controlled values in other cookie attributes bsc1259630...
JetBrains Datalore 安全漏洞
JetBrains Datalore is a collaborative data science platform developed by the Czech company JetBrains. Versions of JetBrains Datalore prior to 2026.1 contained a security vulnerability caused by the lack of security attributes in Cookie settings, which could lead to session hijacking...
Parameter Injection
Overview tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to Parameter Injection in the setcookie function in web.py. An attacker can manipulate cookie attributes by injecting values after ...
Tornado has incomplete validation of cookie attributes
Values passed to the domain, path, and samesite arguments of RequestHandler.setcookie were not completely validated in versions of Tornado prior to 6.5.5. In particular, semicolons would be allowed, which could be used to inject attacker-controlled values for other cookie attributes...