Astra Linux - уязвимость в firefox, thunderbird

By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite cookies from a secure context, leading to session fixation and other attacks. This vulnerability affects Firefox ESR 102.3, Thunderbird 102.3, and...

CVE-2024-4867 Cross-Site Scripting via Developer Portal in WSO2 API Manager Enables UI Modification and Information Retrieval

The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser. By leveraging this cross-site...

curl: libcurl: Curl out of bounds read for cookie path

An out of bounds read flaw has been discovered in the curl project. Under specific conditions the path comparison logic makes curl read outside a heap buffer boundary. This bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site...

100-days-challenge-day-30-XSS-attacks

100-days-challenge-day-30-XSS-attacks XSS attacks demonstrate...

CVE-2023-29547

When a secure cookie existed in the Firefox cookie jar an insecure cookie for the same domain could have been created, when it should have silently failed. This could have led to a desynchronization in expected results when reading from the secure cookie. This vulnerability affects Firefox for...

CVE-2024-58317 Kentico Xperience <= 13.0.164 Cookie Security Configuration

A cookie security configuration vulnerability in Kentico Xperience allows attackers to bypass SSL requirements when setting administration cookies via web.config. The vulnerability affects .NET Framework projects by incorrectly handling the 'requireSSL' attribute, potentially compromising session...

EUVD-2020-25996

Malware in sbrugna...

Unity Linux 20.1050a / 20.1060a / 20.1070a Security Update: curl (UTSA-2025-987465)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-987465 advisory. 1. A cookie is set using the secure keyword for https://target 2. curl is redirected to or otherwise made to speak with http://target same hostname, but using clear...

EUVD-2022-6955

Malicious code in bioql PyPI...

CVE-2025-36011 IBM Jazz for Service Management information disclosure

IBM Jazz for Service Management 1.1.3.0 through 1.1.3.24 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to...

Security Bulletin: IBM Jazz for Service Management is vulnerable to "cookiesEnabled" cookie not sent over SSL

Summary IBM Jazz for Service Management is vulnerable to "cookiesEnabled" cookie not sent over SSL CVE-2025-36011. Vulnerability Details CVEID:CVE-2025-36011 DESCRIPTION: IBM Jazz for Service Management does not set the secure attribute on authorization tokens or session cookies. Attackers may be...

BIT-ENVOY-2025-55162 Envoy: oAuth2 Filter Signout route will not clear cookies because of missing "secure;" flag

Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In versions below 1.32.10 and 1.33.0 through 1.33.6, 1.34.0 through 1.34.4 and 1.35.0, insufficient Session Expiration in the Envoy OAuth2 filter leads to failed logout operations. Whe...

Linux Distros Unpatched Vulnerability : CVE-2022-36032

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ReactPHP HTTP is a streaming HTTP client and server implementation for ReactPHP. In ReactPHP's HTTP server component versions starting with 0.7.0 and prior to...

Envoy 代码问题漏洞

Envoy is an Enphase open source gateway program for connecting smart home devices. A code issue vulnerability exists in Envoy, which stems from the OAuth2 filter omitting the Secure attribute when deleting session cookies with the Secure-/Host- prefix, resulting in the browser rejecting the delet...

CVE-2025-24387

A vulnerability in OTRS Application Server allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. A request to an OTRS endpoint from a possible malicious web site, would send the authentication cookie, performing an unwanted read operation. This issue...

SUSE CVE-2025-24390

A vulnerability in OTRS Application Server and reverse proxy settings allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. This issue affects: OTRS 7.0.X OTRS 8.0.X OTRS 2023.X OTRS 2024.X...

CVE-2024-28770

IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user...

USN-7106-1 tomcat9 vulnerabilities

It was discovered that Tomcat did not include the secure attribute for session cookies when using the RemoteIpFilter with requests from a reverse proxy. An attacker could possibly use this issue to leak sensitive information. CVE-2023-28708 It was discovered that Tomcat had a vulnerability in its...

CVE-2023-33860

IBM Security QRadar EDR 3.12 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the...

RHEL 7 : webkitgtk3 (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - webkitgtk: Use-after-free leading to arbitrary code execution CVE-2021-30858 - Late TLS certificate...