Lucene search
+L

181 matches found

CVE
CVE
added 2025/03/20 10:11 a.m.55 views

CVE-2024-7806

CVE-2024-7806 affects open-webui/open-webui ≤ 0.3.8. A CSRF flaw (lax SameSite cookies, no CSRF tokens) enables remote code execution by non-admin users when a victim visits a crafted page, potentially modifying a pipeline’s Python code and running arbitrary commands with the victim’s privileges....

8.8CVSS8.5AI score0.00444EPSS
Exploits2References1Affected Software1
Cvelist
Cvelist
added 2025/03/05 8:53 a.m.13 views

CVE-2025-22493 Improper cookie attributes in Foreseer Reporting Software (FRS)

Secure flag not set and SameSIte was set to Lax in the Foreseer Reporting Software FRS. Absence of this secure flag could lead into the session cookie being transmitted over unencrypted HTTP connections. This security issue has been resolved in the latest version of FRS v1.5.100...

5.6CVSS0.00102EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/03/05 8:53 a.m.6 views

CVE-2025-22493 Improper cookie attributes in Foreseer Reporting Software (FRS)

Secure flag not set and SameSIte was set to Lax in the Foreseer Reporting Software FRS. Absence of this secure flag could lead into the session cookie being transmitted over unencrypted HTTP connections. This security issue has been resolved in the latest version of FRS v1.5.100...

5.6CVSS7.1AI score0.00102EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/02/13 2:7 a.m.6 views

CVE-2025-24875

SAP Commerce, by default, sets certain cookies with the SameSite attribute configured to None SameSite=None. This includes authentication cookies utilized in SAP Commerce Backoffice. Applying this setting reduces defense in depth against CSRF and may lead to future compatibility issues...

6.8CVSS7.1AI score0.00169EPSS
Exploits0References1
CVE
CVE
added 2025/02/11 3:36 p.m.63 views

CVE-2025-24900

Concorde (Nexkey) vulnerability: lack of CSRF protection and misconfigured cookies for MediaProxy authentication allow bypassing authentication, enabling image loading without restrictions. Affects versions prior to 12.25Q1.1 (SameSite attribute missing); prior to 12.24Q2.3 the same cookie also a...

8.6CVSS8.8AI score0.0039EPSS
Exploits0References3
NVD
NVD
added 2025/02/11 1:15 a.m.7 views

CVE-2025-24875

SAP Commerce, by default, sets certain cookies with the SameSite attribute configured to None SameSite=None. This includes authentication cookies utilized in SAP Commerce Backoffice. Applying this setting reduces defense in depth against CSRF and may lead to future compatibility issues...

6.8CVSS0.00169EPSS
Exploits0References2
CVE
CVE
added 2025/02/11 12:37 a.m.64 views

CVE-2025-24875

CVE-2025-24875 corresponds to SAP Commerce where the Backoffice authentication cookies are by default configured with SameSite=None. Root cause: cookies set to None, weakening CSRF protections. Impact: CSRF risk with potential confidentiality/integrity concerns; exploitation status not detailed i...

6.8CVSS6.7AI score0.00169EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/02/11 12:37 a.m.5 views

CVE-2025-24875 SameSite Defense in Depth not applied for some cookies in SAP Commerce

SAP Commerce, by default, sets certain cookies with the SameSite attribute configured to None SameSite=None. This includes authentication cookies utilized in SAP Commerce Backoffice. Applying this setting reduces defense in depth against CSRF and may lead to future compatibility issues...

6.8CVSS6.8AI score0.00169EPSS
Exploits0References2
NVD
NVD
added 2025/01/20 4:15 p.m.61 views

CVE-2025-23044

PwnDoc is a penetration test report generator. There is no CSRF protection in pwndoc, allowing attackers to send requests on a logged-in user's behalf. This includes GET and POST requests due to the missing SameSite= attribute on cookies and the ability to refresh cookies. Commit...

8.1CVSS0.00239EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2025/01/20 3:43 p.m.8 views

CVE-2025-23044 Cross-Site Request Forgery (CSRF) allows creating admin account with POST request

PwnDoc is a penetration test report generator. There is no CSRF protection in pwndoc, allowing attackers to send requests on a logged-in user's behalf. This includes GET and POST requests due to the missing SameSite= attribute on cookies and the ability to refresh cookies. Commit...

6.8CVSS6.6AI score0.00239EPSS
Exploits1References2
Cvelist
Cvelist
added 2025/01/20 3:43 p.m.55 views

CVE-2025-23044 Cross-Site Request Forgery (CSRF) allows creating admin account with POST request

PwnDoc is a penetration test report generator. There is no CSRF protection in pwndoc, allowing attackers to send requests on a logged-in user's behalf. This includes GET and POST requests due to the missing SameSite= attribute on cookies and the ability to refresh cookies. Commit...

6.8CVSS0.00239EPSS
Exploits1References2
CNVD
CNVD
added 2024/11/07 12:0 a.m.12 views

IBM Concert Trust Management Issues Vulnerability (CNVD-2024-49175)

IBM Concert is a new tool from International Business Machines IBM Inc. that uses generative AI to help manage complex cloud-native applications. A trust management issue vulnerability exists in IBM Concert versions 1.0.0 and 1.0.1 that stems from vulnerability to attacks that rely on the use of...

9.8CVSS6.4AI score0.00316EPSS
Exploits0References1
CNVD
CNVD
added 2024/11/05 12:0 a.m.9 views

IBM Concert Cross-Site Request Forgery Vulnerability

IBM Concert is an enterprise collaboration platform from IBM. IBM Concert suffers from a cross-site request forgery vulnerability vulnerability due to a failure to set the SameSite attribute for cookies. An attacker could exploit this vulnerability to conduct a cross-site request forgery CSRF...

3.7CVSS6.6AI score0.00209EPSS
Exploits0References1
NVD
NVD
added 2024/10/22 3:15 p.m.19 views

CVE-2024-43177

IBM Concert 1.0.0 and 1.0.1 vulnerable to attacks that rely on the use of cookies without the SameSite attribute...

9.8CVSS0.00316EPSS
Exploits0References1
OSV
OSV
added 2024/10/22 3:15 p.m.5 views

CVE-2024-43177

IBM Concert 1.0.0 and 1.0.1 vulnerable to attacks that rely on the use of cookies without the SameSite attribute...

9.8CVSS6.7AI score
Exploits0References1
NVD
NVD
added 2024/10/22 3:15 p.m.21 views

CVE-2024-43173

IBM Concert 1.0.0 and 1.0.1 vulnerable to attacks that rely on the use of cookies without the SameSite attribute...

3.7CVSS0.00209EPSS
Exploits0References1
OSV
OSV
added 2024/10/22 3:15 p.m.7 views

CVE-2024-43173

IBM Concert 1.0.0 and 1.0.1 vulnerable to attacks that rely on the use of cookies without the SameSite attribute...

3.7CVSS4.7AI score
Exploits0References1
CVE
CVE
added 2024/10/22 2:52 p.m.60 views

CVE-2024-43177

CVE-2024-43177 affects IBM Concert Software versions 1.0.0–1.0.1, with the root cause described as cookies being used without the SameSite attribute. Public sources note the vulnerability could enable attacks related to cookie handling, and the NVD metrics show a critical impact (base score 9.8 i...

9.8CVSS6AI score0.00316EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2024/10/22 2:52 p.m.16 views

CVE-2024-43177 IBM Concert improper certificate validation

IBM Concert 1.0.0 and 1.0.1 vulnerable to attacks that rely on the use of cookies without the SameSite attribute...

5.9CVSS6.9AI score0.00316EPSS
Exploits0References1
Cvelist
Cvelist
added 2024/10/22 2:52 p.m.29 views

CVE-2024-43177 IBM Concert improper certificate validation

IBM Concert 1.0.0 and 1.0.1 vulnerable to attacks that rely on the use of cookies without the SameSite attribute...

5.9CVSS0.00316EPSS
Exploits0References1
Rows per page
Query Builder