CVE-2026-39963 Serendipity: Host Header Injection enables authentication cookie scoping to an attacker-controlled domain

Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the serendipitysetCookie function in include/functionsconfig.inc.php uses $SERVER'HTTPHOST' without validation as the domain parameter of setcookie. An attacker who can influence the Host header at login time, such as vi...

OPENSUSE-SU-2022:10098-1 Security update for python-treq

This update for python-treq fixes the following issues: - Fixed CVE-2022-23607 boo1195432 binding cookies to the domain...

Zoom Client 信息泄露漏洞

Zoom Client is a video conferencing client application from Zoom, Inc. that supports multiple platforms. An information disclosure vulnerability exists in Zoom Client for Meetings prior to version 5.10.0, which stems from an inability to properly bind a client session cookie to a Zoom domain...

UBUNTU-CVE-2022-23607

treq is an HTTP library inspired by requests but written on top of Twisted's Agents. Treq's request methods treq.get, treq.post, etc. and treq.client.HTTPClient constructor accept cookies as a dictionary. Such cookies are not bound to a single domain, and are therefore sent to every domain...

October CMS Information Disclosure Vulnerability

October CMS is an open source content management system CMS based on PHP and Laravel web application framework. An information disclosure vulnerability exists in versions of October CMS prior to 1.0.468 that stems from the program not binding an encrypted cookie value to the cookie name of that...