76 matches found
CVE-2016-11014
NETGEAR JNR1010 devices before 1.0.0.32 have Incorrect Access Control because the ok value of the auth cookie is a special case...
CVE-2008-7296
Apple Safari cannot properly restrict modifications to cookies established in HTTPS sessions, which allows man-in-the-middle attackers to overwrite or delete arbitrary cookies via a Set-Cookie header in an HTTP response, related to lack of the HTTP Strict Transport Security HSTS includeSubDomains...
DEBIAN-CVE-2025-26844
An issue was discovered in Znuny through 7.1.3. A cookie is set without the HttpOnly flag...
CVE-2025-46344
Summary of affected component: Auth0 Next.js SDK (nextjs-auth0), version range 4.0.1 through 4.5.0. Root cause: When generating a JWE token for the session, the code does not invoke .setExpirationTime, so the JWE lacks an internal expiration claim; session cookies may expire, but the JWE remains ...
CVE-2024-49705
Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to client-side Denial of Servise DoS attacks. An attacker might trick a user into using an URL with a d parameter set to an unhandled value. All the subsequent requests will not be accepted as the server returns an error...
CVE-2024-49705 XSS in iKSORIS
Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to client-side Denial of Servise DoS attacks. An attacker might trick a user into using an URL with a d parameter set to an unhandled value. All the subsequent requests will not be accepted as the server returns an error...
CVE-2024-49705
Technical details are not publicly provided in the supplied documents. Monitor for updates.
CVE-2024-7053
A vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session fixation attack. The session cookie for all users is set with the default SameSite=Lax and does not have the Secure flag enabled, allowing the session cookie to be sent over HT...
CVE-2025-22493
CVE-2025-22493 affects Foreseer Reporting Software (FRS). The issue stems from the secure flag not being set and SameSite configured to Lax, allowing session cookies to be transmitted over unencrypted HTTP connections. The Red Hat and NVD/NIST records confirm the vulnerability description and ind...
CVE-2025-24896
Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, a login token named token is stored in a cookie for authentication purposes in Bull Dashboard, but this remains undeleted even after logout is performed. The primary...
Security update for python311
This update for python311 fixes the following issues: CVE-2024-8088: Fixed a denial of service in zipfile bsc1229704 CVE-2024-6232: Fixed a ReDos via excessive backtracking while parsing header values bsc1230227 CVE-2024-7592: Fixed a denial of service in the http.cookies module bsc1229596 Patch...
Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in cookie
Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of cookie Vulnerability Details CVEID:CVE-2024-47764 DESCRIPTION: jshttp cookie could allow a remote attacker to bypass security restrictions, caused by improper input validation by the cookie name, path, and...
PT-2025-7617 · Debian · Debian
Name of the Vulnerable Software and Affected Versions: No specific software or versions mentioned. Description: The issue is related to an HTTP Cookie not being set correctly, as described by znuny. Recommendations: At the moment, there is no information about a newer version that contains a fix...
SUSE CVE-2024-44309
A cookie management issue was addressed with improved state management. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, iOS 18.1.1 and iPadOS 18.1.1, macOS Sequoia 15.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to a cross site scripting attack. App...
SUSE CVE-2024-41057
In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in cachefileswithdrawcookie We got the following issue in our fault injection stress test: ================================================================== BUG: KASAN: slab-use-after-free in...
USN-6757-2 php7.4, php8.1, php8.2 vulnerabilities
USN-6757-1 fixed vulnerabilities in PHP. Unfortunately these fixes were incomplete for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.10. This update fixes the problem. Original advisory details: It was discovered that PHP incorrectly handled PHPCLISERVERWORKERS variable. An attacker could...
Authentication cookie is not renewed after successfully login
Description ICMS62EC2566CC4B5 cookie is still same after log in. The value is not changed or renewed. Detail: 1/ Access to the web demo and user browser's dev tool to check the cookie. 2/ Observe the value of ICMS62EC2566CC4B5 cookie, try to log in and it is still the same. Proof of Concept Link...
PT-2023-21215 · Unknown · Dg3450 Cable Gateway
Name of the Vulnerable Software and Affected Versions: DG3450 Cable Gateway version AR01.02.056.18 041520 711.NCS.10 Description: An issue was discovered in the log file download functionality of the troubleshooting logs download.php file, which does not check the session cookie. This allows an...
SUSE CVE-2016-9078
Redirection from an HTTP connection to a "data:" URL assigns the referring site's origin to the "data:" URL in some circumstances. This can result in same-origin violations against a domain if it loads resources from malicious sites. Cross-origin setting of cookies has been demonstrated without t...
CVE-2023-25562 Failure to Invalidate Session on Logout in DataHub
DataHub is an open-source metadata platform. In versions of DataHub prior to 0.8.45 Session cookies are only cleared on new sign-in events and not on logout events. Any authentication checks using the AuthUtils.hasValidSessionCookie method could be bypassed by using a cookie from a logged out...