CVE-2025-27223

TRUfusion Enterprise through 7.10.4.0 exposes the encrypted COOKIEID as an authentication mechanism for some endpoints such as /trufusionPortal/getProjectList. However, the application uses a static key to create the encrypted cookie, ultimately allowing anyone to forge cookies and gain access to...

CVE-2025-27223

TRUfusion Enterprise through 7.10.4.0 exposes the encrypted COOKIEID as an authentication mechanism for some endpoints such as /trufusionPortal/getProjectList. However, the application uses a static key to create the encrypted cookie, ultimately allowing anyone to forge cookies and gain access to...

EUVD-2025-36214

TRUfusion Enterprise through 7.10.4.0 exposes the encrypted COOKIEID as an authentication mechanism for some endpoints such as /trufusionPortal/getProjectList. However, the application uses a static key to create the encrypted cookie, ultimately allowing anyone to forge cookies and gain access to...

CVE-2025-27223

TRUfusion Enterprise through 7.10.4.0 exposes the encrypted COOKIEID as an authentication mechanism for some endpoints such as /trufusionPortal/getProjectList. However, the application uses a static key to create the encrypted cookie, ultimately allowing anyone to forge cookies and gain access to...

CVE-2025-27223

TRUfusion Enterprise

EUVD-2025-33702

A Missing Secure Attribute in Encrypted Session SSL Cookie vulnerability in HCL AION.This issue affects AION: 2.0...

PT-2025-41538

Name of the Vulnerable Software and Affected Versions HCL AION version 2.0 Description The software contains a missing secure attribute in encrypted session cookies. This could allow attackers to potentially intercept sensitive information transmitted in the session. Recommendations At the moment...

EUVD-2020-0593

Malware in sbrugna...

CVE-2024-36511

An improperly implemented security check for standard vulnerability CWE-358 in FortiADC Web Application Firewall WAF 7.4.0 through 7.4.4, 7.2 all versions, 7.1 all versions, 7.0 all versions, 6.2 all versions, 6.1 all versions, 6.0 all versions when cookie security policy is enabled may allow an...

LedgerSMB 安全漏洞

LedgerSMB is a free web-based double-entry bookkeeping system with quoting, ordering, invoicing, projects, time cards, inventory management, shipping, and more. A security vulnerability exists in LedgerSMB that stems from LedgerSMB not setting the Secure attribute on the session authorization...

October CMS Information Disclosure Vulnerability

October CMS is an open source content management system CMS based on PHP and Laravel web application framework. An information disclosure vulnerability exists in versions of October CMS prior to 1.0.468 that stems from the program not binding an encrypted cookie value to the cookie name of that...

Design/Logic Flaw

In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code nothing exploitable in the core project itself had a...

PYSEC-2018-35

aio-libs aiohttp-session version 2.6.0 and earlier contains a Other/Unknown vulnerability in EncryptedCookieStorage and NaClCookieStorage that can result in Non-expiring sessions / Infinite lifespan. This attack appear to be exploitable via Recreation of a cookie post-expiry with the same value...

CVE-2011-1068

Microsoft Windows Azure Software Development Kit SDK 1.3.x before 1.3.20121.1237, when Full IIS and a Web Role are used with an ASP.NET application, does not properly support the use of cookies for maintaining state, which allows remote attackers to obtain potentially sensitive information by...