Information disclosure

IBM Planning Analytics 2.0 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 198755...

CVE-2021-20526

IBM Planning Analytics 2.0 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 198755...

CVE-2021-20526

IBM Planning Analytics 2.0 (Local) is affected by an information disclosure vulnerability caused by not setting the HTTPOnly flag on cookies. A remote attacker could obtain sensitive information from cookies due to this flaw. Remediation provided in the connected materials recommends applying the...

IBM Planning Analytics 安全漏洞

IBM Planning Analytics, a planning, budgeting, forecasting and analysis solution, is vulnerable to an information disclosure in IBM Planning Analytics version 2.0. The vulnerability stems from the HTTPOnly flag not being set. A remote attacker could use this vulnerability to obtain sensitive...

Sensitive Cookie Without 'HttpOnly' Flag in namelessmc/nameless

Description Due to a culmination of factors in the design of the authentication and authorization system and a lack of proper cookie setting it is possible for a malicious user to exfiltrate session tokens from a NamelessMC instance and aggregate them in a remote service. A malicious administrati...

CVE-2021-26589

A potential security vulnerability has been identified in HPE Superdome Flex Servers. The vulnerability could be remotely exploited to allow Cross Site Scripting XSS because the Session Cookie is missing an HttpOnly Attribute. HPE has provided a firmware update to resolve the vulnerability in HPE...

CVE-2021-26589

A potential security vulnerability has been identified in HPE Superdome Flex Servers. The vulnerability could be remotely exploited to allow Cross Site Scripting XSS because the Session Cookie is missing an HttpOnly Attribute. HPE has provided a firmware update to resolve the vulnerability in HPE...

Cross site scripting

A potential security vulnerability has been identified in HPE Superdome Flex Servers. The vulnerability could be remotely exploited to allow Cross Site Scripting XSS because the Session Cookie is missing an HttpOnly Attribute. HPE has provided a firmware update to resolve the vulnerability in HPE...

CVE-2021-26589

A potential security vulnerability has been identified in HPE Superdome Flex Servers. The vulnerability could be remotely exploited to allow Cross Site Scripting XSS because the Session Cookie is missing an HttpOnly Attribute. HPE has provided a firmware update to resolve the vulnerability in HPE...

CVE-2021-26589

This CVE concerns HPE Superdome Flex Servers where a Cross Site Scripting (XSS) vulnerability arises because the Session Cookie lacks the HttpOnly attribute. Public sources (NVD entry) describe remote exploitation potential and provide a firmware update from HPE as the remediation. The NVD CVSS v...

Sensitive Cookie Without 'HttpOnly' Flag in craigk5n/webcalendar

✍️ Description HTTPOnly attribute is not set for session cookies in the application 💥 Impact When a cookie doesn’t have an HttpOnly flag, it can be accessed through JavaScript, which means that an XSS could lead to cookies being stolen. These include session cookies that can make it easier to...

Sensitive Cookie Without 'HttpOnly' Flag in pkp/ojs

✍️ Description HTTPOnly attribute is not set for session cookies "OJSSID" in the application. Proof of Concept Check this for POC: Image Impact When a cookie doesn’t have an HttpOnly flag, it can be accessed through JavaScript, which means that an XSS could lead to cookies being stolen. These...

Sensitive Cookie Without 'HttpOnly' Flag in yeswiki/yeswiki

Description The software uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps...

Sensitive Cookie Without 'HttpOnly' Flag in filegator/filegator

Description HTTPOnly attribute is not set for session cookies in the application. Proof of Concept https://ibb.co/R950Vxj Impact When a cookie doesn’t have an HttpOnly flag, it can be accessed through JavaScript, which means that an XSS could lead to cookies being stolen. These include session...

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in kcal-app/kcal

Description Implement both Secure flag and httponly flag in the application. Proof of Concept Impact The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from bein...

Sensitive Cookie Without 'HttpOnly' Flag in babybuddy/babybuddy

Description HttpOnly flag not mentioned Proof of Concept step to reproduce below show request GET /login/?next=/google.com HTTP/1.1 Host: demo.baby-buddy.net User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:92.0 Gecko/20100101 Firefox/92.0 Accept:...

CVE-2021-3706

adminlte is vulnerable to Sensitive Cookie Without 'HttpOnly' Flag...

Design/Logic Flaw

adminlte is vulnerable to Sensitive Cookie Without 'HttpOnly' Flag...

CVE-2021-3706 Sensitive Cookie Without 'HttpOnly' Flag in pi-hole/adminlte

adminlte is vulnerable to Sensitive Cookie Without 'HttpOnly' Flag...

CVE-2021-3706

The CVE-2021-3706 entry affects Pi-hole’s AdminLTE-based web interface. Affected component: the adminlte/persistentlogin cookie is set without the HttpOnly flag, making the cookie accessible to JavaScript and susceptible to theft via XSS. The OpenVAS PoC documents show a login flow where the pers...