PT-2026-26776

Summary AVideo's session start function accepts arbitrary session IDs via the PHPSESSID GET parameter and sets them as the active PHP session. A session regeneration bypass exists for specific blacklisted endpoints when the request originates from the same domain. Combined with the explicitly...

CVE-2022-38922

BluePage CMS thru 3.9 processes an insufficiently sanitized HTTP Header Cookie value allowing MySQL Injection in the 'users-cookie-settings' token using a Time-based blind SLEEP payload...

Sling TV turned privacy into a game you weren’t meant to win

Streaming service Sling TV has settled with the California Attorney General over allegations that it blocked users from exercising their privacy rights. The company will pay $530,000 after being accused of making it difficult for customers to opt out of its data collection practices. The Californ...

EUVD-1999-0790

Malware in sbrugna...

EUVD-2025-3686

Malicious code in bioql PyPI...

CVE-2021-41113

TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the new TYPO3 v11 feature that allows users to create and share deep links in the backend user interface is vulnerable to cross-site-request-forgery. The impact is the same as...

CVE-2024-7053 Session Fixation in open-webui/open-webui

A vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session fixation attack. The session cookie for all users is set with the default SameSite=Lax and does not have the Secure flag enabled, allowing the session cookie to be sent over HT...

PT-2025-12183 · Unknown · Open-Webui

Name of the Vulnerable Software and Affected Versions: open-webui/open-webui version 0.3.8 Description: A vulnerability allows an attacker with a user-level account to perform a session fixation attack. The session cookie for all users is set with the default SameSite=Lax and does not have the...

CVE-2025-24387

A vulnerability in OTRS Application Server allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. A request to an OTRS endpoint from a possible malicious web site, would send the authentication cookie, performing an unwanted read operation. This issue...

CVE-2025-24387

CVE-2025-24387 affects OTRS Application Server (OTRS 7.0.x, 8.0.x, 2023.x, 2024.x, 2025.x). Root cause: missing attributes for sensitive cookie settings in HTTPS sessions, enabling potential session hijacking where an attacker signed requests from a malicious site to read the authentication cooki...

CVE-2025-24900

Concorde, formerly know as Nexkey, is a fork of the federated microblogging platform Misskey. Due to a lack of CSRF countermeasures and improper settings of cookies for MediaProxy authentication, there is a vulnerability that allows MediaProxy authentication to be bypassed. In versions prior to...

CVE-2025-24900

Concorde (Nexkey) vulnerability: lack of CSRF protection and misconfigured cookies for MediaProxy authentication allow bypassing authentication, enabling image loading without restrictions. Affects versions prior to 12.25Q1.1 (SameSite attribute missing); prior to 12.24Q2.3 the same cookie also a...

CVE-2025-24900 Concorde CSRF vulnerability due to insecure configuration of authentication cookie attributes

Concorde, formerly know as Nexkey, is a fork of the federated microblogging platform Misskey. Due to a lack of CSRF countermeasures and improper settings of cookies for MediaProxy authentication, there is a vulnerability that allows MediaProxy authentication to be bypassed. In versions prior to...

CVE-2025-24390

A vulnerability in OTRS Application Server and reverse proxy settings allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. This issue affects: OTRS 7.0.X OTRS 8.0.X OTRS 2023.X OTRS 2024.X...

BIT-TYPO3-2021-41113

TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the new TYPO3 v11 feature that allows users to create and share deep links in the backend user interface is vulnerable to cross-site-request-forgery. The impact is the same as...

Vendure Cross Site Request Forgery vulnerability impacting all API requests

Impact Vendure is an e-commerce GraphQL framework with a number of APIs and different levels of authorization. By default the Cookie settings are insecure, having the SameSite setting as false which results in not having one originates from the cookie-session npm package’s default settings. Patch...

GHSA-H9WQ-XCQX-MQXM Vendure Cross Site Request Forgery vulnerability impacting all API requests

Impact Vendure is an e-commerce GraphQL framework with a number of APIs and different levels of authorization. By default the Cookie settings are insecure, having the SameSite setting as false which results in not having one originates from the cookie-session npm package’s default settings. Patch...

CVE-2022-38922

BluePage CMS thru 3.9 processes an insufficiently sanitized HTTP Header Cookie value allowing MySQL Injection in the 'users-cookie-settings' token using a Time-based blind SLEEP payload...

SUSE SLES15 Security Update : php8 (SUSE-SU-2022:3661-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3661-1 advisory. - In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main...

Cross site request forgery (csrf)

TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the new TYPO3 v11 feature that allows users to create and share deep links in the backend user interface is vulnerable to cross-site-request-forgery. The impact is the same as...