CVE-2025-47289 Stored XSS in CE Phoenix Cart Testimonials Allows Account Takeover if Missing HttpOnly Flag

CE Phoenix is a free, open-source eCommerce platform. A stored cross-site scripting XSS vulnerability was discovered in CE Phoenix versions 1.0.9.9 through 1.1.0.2 where an attacker can inject malicious JavaScript into the testimonial description field. Once submitted, if the shop owner admin...

CVE-2023-51843

react-dashboard 1.4.0 is vulnerable to Cross Site Scripting XSS as httpOnly is not set...

CVE-2022-43845

IBM Aspera Console 3.4.0 through 3.4.4 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie...

CVE-2022-4630

Sensitive Cookie Without 'HttpOnly' Flag in GitHub repository lirantal/daloradius prior to master...

CVE-2021-3706

adminlte is vulnerable to Sensitive Cookie Without 'HttpOnly' Flag...

CVE-2021-29247

BTCPay Server through 1.0.7.0 could allow a remote attacker to obtain sensitive information, caused by failure to set the HTTPOnly flag for a cookie...

CVE-2021-26589

A potential security vulnerability has been identified in HPE Superdome Flex Servers. The vulnerability could be remotely exploited to allow Cross Site Scripting XSS because the Session Cookie is missing an HttpOnly Attribute. HPE has provided a firmware update to resolve the vulnerability in HPE...

CVE-2021-21494

MK-AUTH through 19.01 K4.9 allows XSS via the admin/logsajax.php tipo parameter. An attacker can leverage this to read the centralmka2 session token cookie, which is not set to HTTPOnly...

CVE-2021-40649

In Connx Version 6.2.0.1269 20210623, a cookie can be issued by the application and not have the HttpOnly flag set...

CVE-2020-6267

Some sensitive cookies in SAP Disclosure Management, version 10.1, are missing HttpOnly flag, leading to sensitive cookie without Http Only flag...

CVE-2020-25473

SimplePHPscripts News Script PHP Pro 2.3 does not properly set the HttpOnly Flag from Session Cookies...

CVE-2020-15910

SolarWinds N-Central version 12.3 GA and lower does not set the JSESSIONID attribute to HTTPOnly. This makes it possible to influence the cookie with javascript. An attacker could send the user to a prepared webpage or by influencing JavaScript to the extract the JESSIONID. This could then be...

CVE-2019-25091

A vulnerability classified as problematic has been found in nsupdate.info. This affects an unknown part of the file src/nsupdate/settings/base.py of the component CSRF Cookie Handler. The manipulation of the argument CSRFCOOKIEHTTPONLY leads to cookie without 'httponly' flag. It is possible to...

CVE-2019-19003

For ABB eSOMS versions 4.0 to 6.0.2, the HTTPOnly flag is not set. This can allow Javascript to access the cookie contents, which in turn might enable Cross Site Scripting...

CVE-2019-19736

MFScripts YetiShare 3.5.2 through 4.5.3 does not set the HttpOnly flag on session cookies, allowing the cookie to be read by script, which can potentially be used by attackers to obtain the cookie via cross-site scripting...

CVE-2011-4850

The Control Panel in Parallels Plesk Panel 10.4.4build20111103.18 does not include the HTTPOnly flag in a Set-Cookie header for a cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie, as demonstrated by cookies used by...

CVE-2019-17104

In Centreon VM through 19.04.3, the cookie configuration within the Apache HTTP Server does not protect against theft because the HTTPOnly flag is not set...

CVE-2013-3636

ProjectPier 0.8.8 has a Remote Information Disclosure Weakness because of the lack of the HttpOnly cookie flag...

CVE-2003-1567

The undocumented TRACK method in Microsoft Internet Information Services IIS 5.0 returns the content of the original request in the body of the response, which makes it easier for remote attackers to steal cookies and authentication credentials, or bypass the HttpOnly protection mechanism, by usi...

CVE-2025-26844

An issue was discovered in Znuny through 7.1.3. A cookie is set without the HttpOnly flag...