PT-2019-11799 · Cloudbees +1 · Jenkins

Name of the Vulnerable Software and Affected Versions: Jenkins versions 2.196 and earlier, LTS versions 2.176.3 and earlier Description: The issue allows attackers to obtain the HTTP session cookie, despite it being marked HttpOnly, by exploiting another XSS vulnerability and accessing the /whoAm...

LimeSurvey < 3.17.14 Multiple Vulnerabilities

LimeSurvey is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2019-16187

Limesurvey before 3.17.14 uses an anti-CSRF cookie without the HttpOnly flag, which allows attackers to access a cookie value via a client-side script...

CVE-2019-16187

Limesurvey before 3.17.14 uses an anti-CSRF cookie without the HttpOnly flag, which allows attackers to access a cookie value via a client-side script...

Cross site request forgery (csrf)

Limesurvey before 3.17.14 uses an anti-CSRF cookie without the HttpOnly flag, which allows attackers to access a cookie value via a client-side script...

CVE-2019-16187

Limesurvey before 3.17.14 uses an anti-CSRF cookie without the HttpOnly flag, which allows attackers to access a cookie value via a client-side script...

CVE-2019-16187

LimeSurvey prior to 3.17.14 is affected. The root cause is an anti‑CSRF cookie that is not HttpOnly, allowing client‑side scripts to access the cookie value. This can lead to exposure of cookie data and constitutes a high-risk issue per CVSS2/3.1 metrics (base scores 5.0/7.5 respectively). The ad...

CVE-2019-0341

The session cookie used by SAP Enable Now, version 1902, does not have the HttpOnly flag set. If an attacker runs script code in the context of the application, he could get access to the session cookie. The session cookie could then be abused to gain access to the application...

Design/Logic Flaw

The session cookie used by SAP Enable Now, version 1902, does not have the HttpOnly flag set. If an attacker runs script code in the context of the application, he could get access to the session cookie. The session cookie could then be abused to gain access to the application...

CVE-2019-0341

The CVE-2019-0341 affects SAP Enable Now, version 1902, where the session cookie is missing the HttpOnly flag. This allows script code executed in the application context to access the session cookie and potentially abuse it to gain access to the application. The connected documents corroborate t...

CVE-2019-12927

MailEnable Enterprise Premium 10.23 was vulnerable to stored and reflected cross-site scripting XSS attacks. Because the session cookie did not use the HttpOnly flag, it was possible to hijack the session cookie by exploiting this vulnerability...

CVE-2019-12927

MailEnable Enterprise Premium 10.23 was vulnerable to stored and reflected cross-site scripting XSS attacks. Because the session cookie did not use the HttpOnly flag, it was possible to hijack the session cookie by exploiting this vulnerability...

Cross site scripting

An issue was discovered on Moxa AWK-3121 1.14 devices. The session cookie "Password508" does not have an HttpOnly flag. This allows an attacker who is able to execute a cross-site scripting attack to steal the cookie very easily...

CVE-2018-10692

An issue was discovered on Moxa AWK-3121 1.14 devices. The session cookie "Password508" does not have an HttpOnly flag. This allows an attacker who is able to execute a cross-site scripting attack to steal the cookie very easily...

CVE-2018-10692

The CVE-2018-10692 issue affects Moxa AWK-3121 devices (version 1.14) where the session cookie Password508 is not HttpOnly, enabling a cross-site scripting attacker to steal the cookie. Connected sources (NVD, CISA/ICS advisory, and Nessus plugin) confirm this vulnerability is tied to the HTTP co...

CVE-2019-8283

Hasplm cookie in Gemalto Admin Control Center, all versions prior to 7.92, does not have 'HttpOnly' flag. This allows malicious javascript to steal it...

Default credentials

Hasplm cookie in Gemalto Admin Control Center, all versions prior to 7.92, does not have 'HttpOnly' flag. This allows malicious javascript to steal it...

CVE-2019-8283

Hasplm cookie in Gemalto Admin Control Center, all versions prior to 7.92, does not have 'HttpOnly' flag. This allows malicious javascript to steal it...

CVE-2018-12302

Missing HTTPOnly flag on session cookies in the Seagate NAS OS version 4.3.15.1 web application allows attackers to steal session tokens via cross-site scripting...

CVE-2018-12302

CVE-2018-12302 concerns Seagate NAS OS web application (v4.3.15.1) with missing HttpOnly flag on session cookies, enabling potential theft of session tokens via cross-site scripting. Publicly surfaced details are consistent across sources (NVD/Red Hat/other catalogs). The Red Hat and NVD entries ...