CVE-2014-0634

EMC VPLEX GeoSynchrony 4.x and 5.x before 5.3 is affected by a Missing HttpOnly attribute in a Set-Cookie header for an unspecified cookie, which could allow remote attackers to access potentially sensitive information via script. Affected products: VPLEX GeoSynchrony 4.0–5.2.1. Root cause: absen...

CVE-2014-0634

EMC VPLEX GeoSynchrony 4.x and 5.x before 5.3 does not include the HTTPOnly flag in a Set-Cookie header for an unspecified cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie...

Concrete CMS: HttpOnly flag not set for cookie on concrete5.org

Hi, The HttpOnly flag is not set on concrete5.org, making it easy to steal the cookie when a XSS is present on the site. See HttpOnly on OWASP for more information...

Oracle Containers for J2EE Component Unspecified XSS

The remote Oracle Application server is affected by an unspecified cross-site scripting vulnerability. Specifically, installations that do not set the 'HttpOnly' flag in session cookies are vulnerable. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. include'deprecatednasllevel.inc';...

CVE-2013-4617

Jahia xCM before 6.6.2 does not include the HTTPOnly flag in a Set-Cookie header for the JSESSIONID cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie...

Design/Logic Flaw

Jahia xCM before 6.6.2 does not include the HTTPOnly flag in a Set-Cookie header for the JSESSIONID cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie...

CVE-2013-4617

Jahia xCM before 6.6.2 does not include the HTTPOnly flag in a Set-Cookie header for the JSESSIONID cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie...

CVE-2013-4617

CVE-2013-4617 affects Jahia xCM prior to 6.6.2. The issue is that the Set-Cookie header for the JSESSIONID cookie does not use the HTTPOnly flag, which can allow remote attackers to access the cookie via client-side scripts and potentially expose sensitive information. The provided documents conf...

Evernote: Wormable stored XSS in www.evernote.com

The Evernote iOS application leverages the Evernote API to synchronize notes with the backend. When a new note is created or updated, a request is submitted to the backend that wraps the note in an XML document. This request also contains metadata about which parts of the note is updated. The XML...

Oracle Linux 3 / 4 : seamonkey (ELSA-2009-0257)

From Red Hat Security Advisory 2009:0257 : Updated SeaMonkey packages that fix security issues are now available for Red Hat Enterprise Linux 2.1, 3, and 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. SeaMonkey is an open source Web browser...

PHP-Fusion: source code security analysis report

Several vulnerabilities were discovered in PHP-Fusion 'PHP-Fusion' software: Incorrect User Input Filtration when Connecting to External Files File System Path Manipulation Incorrect User Input Filtration when Using Regular Expressions while Calling the pregreplace Function Using Insufficiently...

Apache HttpOnly Cookie XSS cross-site vulnerabilities-vulnerability warning-the black bar safety net

Many programs and some commercial or Mature open-source cms article system in order to preventingxssto steal the user cookie issue, are generally used to cookie coupled with the httponly attribute, to prohibit the direct to use js to get the user's cookie, thereby reducingxssharm, and this proble...

IP.Gallery 4.2.x and 5.0.x Persistent XSS Vulnerability

Exploit for php platform in category web applications Exploit Title: IP.Gallery 4.2.x and 5.0.x persistent XSS vulnerability image title is vulnerable to persistent XSS vulnerability which allow any normal member to hack any administrator account or any other member account. we contacted the vend...

RHEL 6 : Red Hat Network Satellite server (RHSA-2011:1299)

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2011:1299 advisory. Red Hat Network RHN Satellite provides a solution to organizations requiring absolute control over and privacy of the maintenance and packag...

CVE-2012-4846

IBM Lotus Notes 8.5.x before 8.5.3 FP3 does not include the HTTPOnly flag in a Set-Cookie header for a web-application cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie, aka SPRs JMAS7TRNLN and SRAO8U3Q68...

Design/Logic Flaw

IBM Lotus Notes 8.5.x before 8.5.3 FP3 does not include the HTTPOnly flag in a Set-Cookie header for a web-application cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie, aka SPRs JMAS7TRNLN and SRAO8U3Q68...

CVE-2012-4846

CVE-2012-4846 is corroborated by OpenVAS entries describing IBM Lotus Notes Web Application XSS vulnerabilities across Linux, Windows, and Mac OS X. The OpenVAS tests (IDs 803216, 803215, 1361412562310803218, 1361412562310803215, 1361412562310803218) associate the CVE with an XSS issue in the Lot...

IBM Lotus Notes 8.5.1 / 8.5.2 / 8.5.3 < 8.5.3 FP3 Multiple Vulnerabilities

The remote host has a version of Lotus Notes 8.5.1, 8.5.2, or 8.5.3.x prior to 8.5.3 Fix Pack 3 installed. It is, therefore, reportedly affected by the following vulnerabilities : - The included version of the IBM Java SDK contains a version of the IBM JRE that contains several errors that allow...

FreeBSD : django -- multiple vulnerabilities (5f326d75-1db9-11e2-bc8f-d0df9acfd7e5)

The Django Project reports : - Host header poisoning Some parts of Django -- independent of end-user-written applications -- make use of full URLs, including domain name, which are generated from the HTTP Host header. Some attacks against this are beyond Django's ability to control, and require t...

django -- multiple vulnerabilities

The Django Project reports: Host header poisoning Some parts of Django -- independent of end-user-written applications -- make use of full URLs, including domain name, which are generated from the HTTP Host header. Some attacks against this are beyond Django's ability to control, and require the...