Design/Logic Flaw

Synology Router Manager SRM before 1.2.4-8081 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie...

CVE-2020-27658

Synology SRM (on SRM up to 1.2.4-8081) is affected by CVE-2020-27658: the web interface session cookie id is Set-Cookie without the HttpOnly flag, enabling potential theft of the cookie via injected JavaScript and facilitating an XSS-based information disclosure. TALOS details confirm the vulnera...

CVE-2020-27658

Synology Router Manager SRM before 1.2.4-8081 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie...

CVE-2020-15910

SolarWinds N-Central version 12.3 GA and lower does not set the JSESSIONID attribute to HTTPOnly. This makes it possible to influence the cookie with javascript. An attacker could send the user to a prepared webpage or by influencing JavaScript to the extract the JESSIONID. This could then be...

CVE-2020-15910

SolarWinds N-Central version 12.3 GA and lower does not set the JSESSIONID attribute to HTTPOnly. This makes it possible to influence the cookie with javascript. An attacker could send the user to a prepared webpage or by influencing JavaScript to the extract the JESSIONID. This could then be...

Design/Logic Flaw

SolarWinds N-Central version 12.3 GA and lower does not set the JSESSIONID attribute to HTTPOnly. This makes it possible to influence the cookie with javascript. An attacker could send the user to a prepared webpage or by influencing JavaScript to the extract the JESSIONID. This could then be...

CVE-2020-15910

This CVE concerns SolarWinds N-Central, affected in version 12.3 GA and lower. The underlying issue is that the JSESSIONID cookie is not marked HttpOnly, enabling client-side scripts to influence or exfiltrate the cookie. The described impact is that an attacker could lure a user to a crafted pag...

CVE-2020-15910

SolarWinds N-Central version 12.3 GA and lower does not set the JSESSIONID attribute to HTTPOnly. This makes it possible to influence the cookie with javascript. An attacker could send the user to a prepared webpage or by influencing JavaScript to the extract the JESSIONID. This could then be...

CVE-2020-15776

An issue was discovered in Gradle Enterprise 2018.2 - 2020.2.4. The CSRF prevention token is stored in a request cookie that is not annotated as HttpOnly. An attacker with the ability to execute arbitrary code in a user's browser could impose an arbitrary value for this token, allowing them to...

CVE-2020-15776

An issue was discovered in Gradle Enterprise 2018.2 - 2020.2.4. The CSRF prevention token is stored in a request cookie that is not annotated as HttpOnly. An attacker with the ability to execute arbitrary code in a user's browser could impose an arbitrary value for this token, allowing them to...

Unspecified Vulnerability in SAP Disclosure Management

SAP Disclosure Management is an automated financial disclosure management system from SAP. The system provides a collaborative financial disclosure process across teams, geographies, systems and data sources. A security vulnerability exists in SAP Disclosure Management version 10.1 that stems fro...

CVE-2020-6267

Some sensitive cookies in SAP Disclosure Management, version 10.1, are missing HttpOnly flag, leading to sensitive cookie without Http Only flag...

Design/Logic Flaw

Some sensitive cookies in SAP Disclosure Management, version 10.1, are missing HttpOnly flag, leading to sensitive cookie without Http Only flag...

CVE-2020-6267

Some sensitive cookies in SAP Disclosure Management, version 10.1, are missing HttpOnly flag, leading to sensitive cookie without Http Only flag...

CVE-2020-6267

SAP Disclosure Management 10.1 is affected by CVE-2020-6267, where sensitive cookies are missing the HttpOnly flag. The available documents confirm the issue is tied to HttpOnly not being set on cookies, enabling potential exposure of sensitive cookie data. No detailed exploit steps or CVE-specif...

PT-2020-19062 · Sap · Sap Disclosure Management

Name of the Vulnerable Software and Affected Versions: SAP Disclosure Management version 10.1 Description: The issue concerns sensitive cookies missing the HttpOnly flag in SAP Disclosure Management, which can lead to sensitive cookies being accessed without the HttpOnly flag. This affects the...

GitHub Security Lab: Add check for disabled HTTPOnly setting in Tomcat

This bug was reported directly to GitHub Security Lab...

Information Disclosure

httpd is vulnerable to information disclosure. The vulnerability exists as the httpd server included the full HTTP header line in the default error page generated when receiving an excessively long or malformed header. Malicious JavaScript running in the server's domain context could use this fla...

Information Disclosure

firefox is vulnerable to information disclosure. A flaw was found in the way Firefox treated HTTPOnly cookies. An attacker able to execute arbitrary JavaScript on a target site using HTTPOnly cookies may be able to use this flaw to steal the cookie...

CVE-2020-4289

IBM Security Information Queue ISIQ 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM...