113 matches found
PT-2025-21936 · Undefined · Undefined
🚨 CVE-2025-190800 in Auth0 WordPress plugin allows brute force attacks on session cookies, risking unauthorized access. Update to version 5.3.0 or later and consider rotating cookie encryption keys.🔧 Read more: https://t.co/aLcSs7CcDK BruteForceAttack CyberSecurity Vulert https://t.co/3Z8lZDmI2j...
GHSA-G98G-R7GF-2R25 Brute Force Authentication Tags of CookieStore Sessions in Auth0-PHP SDK
Overview Session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. Am I Affected? You are affected by this vulnerability if you meet the following pre-conditions: 1. Applications...
CVE-2025-47275
Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Starting in version 8.0.0-BETA1 and prior to version 8.14.0, session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in...
CVE-2025-47275
Summary: CVE-2025-47275 affects Auth0-PHP SDKs used with CookieStore across multiple Auth0 integrations (Laravel, WordPress, Symfony). Affected versions: Auth0-PHP in 8.0.0-BETA1 up to, but not including, 8.14.0. Applications using the SDK or linked Auth0 wrappers relying on it may have session c...
CVE-2025-47275 Brute Force Authentication Tags of CookieStore Sessions in Auth0-PHP SDK
Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Starting in version 8.0.0-BETA1 and prior to version 8.14.0, session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in...
CVE-2025-47275 Brute Force Authentication Tags of CookieStore Sessions in Auth0-PHP SDK
Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Starting in version 8.0.0-BETA1 and prior to version 8.14.0, session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in...
GHSA-4FWJ-M62Q-PP47 Password Pusher Allows Session Token Interception Leading to Potential Hijacking
Impact A vulnerability has been reported in Password Pusher where an attacker can copy the session cookie before a user logs out, potentially allowing session hijacking. Although the session token is replaced and invalidated upon logout, if an attacker manages to capture the session cookie before...
GHSA-H63V-HW6G-X8HP Bit flip attack vulnerability in cookie-encrypter
due to a weakness in the encryption method used in cookie-encrypter an attack can use the world visible IV to edit encrypted cookies without decrypting the cookie itself. This is known as an AES CBC bit flipping attack...
PT-2024-35742 · Unknown · Cookie-Encrypter
Name of the Vulnerable Software and Affected Versions: cookie-encrypter version 1.0.1 Description: The issue is related to a weakness in the encryption method used, allowing attackers to execute a bit flipping attack, specifically an AES CBC bit flipping attack, by exploiting the decryptCookie...
Deserialization Of Untrusted Data
illuminate/cookie is vulnerable to Deserialization Of Untrusted Data. The vulnerability is due to insecure cookie encryption and serialization logic, which allows attackers to potentially decrypt or manipulate cookie data, resulting in arbitrary code execution...
GHSA-6JVX-8CH9-J2JR Laravel Cookie serialization vulnerability
Laravel 5.6.30 is a security release of Laravel and is recommended as an immediate upgrade for all users. Laravel 5.6.30 also contains a breaking change to cookie encryption and serialization logic. Refer to laravel advisory for more details and read the notes carefully when upgrading your...
Laravel Cookie serialization vulnerability
Laravel 5.6.30 is a security release of Laravel and is recommended as an immediate upgrade for all users. Laravel 5.6.30 also contains a breaking change to cookie encryption and serialization logic. Refer to laravel advisory for more details and read the notes carefully when upgrading your...
CVE-2024-31999
@festify/secure-session creates a secure stateless cookie session for Fastify. At the end of the request handling, it will encrypt all data in the session with a secret key and attach the ciphertext as a cookie value with the defined cookie name. After that, the session on the server side is...
K11453402: BIG-IP Cookie encryption security exposure
Security Advisory Description When HTTP Profile Cookie encryption is enabled, duplicate HTTP cookies may be passed on to back-end servers. This issue occurs when the following condition is met: The virtual server has an HTTP Profile with Cookie Encryption enabled. Impact The back-end pool member...
Fortinet Fortigate Padding oracle in cookie encryption (FG-IR-21-126)
The version of Fortigate installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the FG-IR-21-126 advisory. - An improper verification of cryptographic signature vulnerability CWE-347 in FortiWeb 6.4 all versions, 6.3.16 and below, 6...
Fortinet FortiWeb Padding oracle in cookie encryption (FG-IR-21-126)
The version of FortiWeb installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the FG-IR-21-126 advisory. - An improper verification of cryptographic signature vulnerability CWE-347 in FortiWeb 6.4 all versions, 6.3.16 and below, 6....
SUSE CVE-2012-0807
Stack-based buffer overflow in the suhosinencryptsinglecookie function in the transparent cookie-encryption feature in the Suhosin extension before 0.9.33 for PHP, when suhosin.cookie.encrypt and suhosin.multiheader are enabled, might allow remote attackers to execute arbitrary code via a long...
SUSE CVE-2016-0736
In Apache HTTP Server versions 2.4.0 to 2.4.23, modsessioncrypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation AES256-CBC by default, hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle...
SUSE CVE-2016-6606
An issue was discovered in cookie encryption in phpMyAdmin. The decryption of the username/password is vulnerable to a padding oracle attack. This can allow an attacker who has access to a user's browser cookie file to decrypt the username and password. Furthermore, the same initialization vector...
Cross-site Request Forgery (CSRF)
tiny-csrf is vulnerable to cross-site request forgery. The vulnerability exists due tocsurf because the cookies are not encrypted which allows an attacker to gain access to the tokens and bypass CSRF checks...