151 matches found
CVE-2021-26474
Various Vembu products allow an attacker to execute a non-blind http-only Cross Site Request Forgery Other products or versions of products in this family may be affected too...
CVE-2021-21494
MK-AUTH through 19.01 K4.9 allows XSS via the admin/logsajax.php tipo parameter. An attacker can leverage this to read the centralmka2 session token cookie, which is not set to HTTPOnly...
CVE-2020-27658
Synology Router Manager SRM before 1.2.4-8081 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie...
Console: HTTPOnly and Secure attributes not set on cookies in Red Hat AMQ
It was found that Hawtio console does not set HTTPOnly or Secure attributes on cookies. An attacker could use this flaw to rerieve an authenticated user's SessionID, and possibly conduct further attacks with the permissions of the authenticated user...
CVE-2020-6267
Some sensitive cookies in SAP Disclosure Management, version 10.1, are missing HttpOnly flag, leading to sensitive cookie without Http Only flag...
CVE-2019-19003
For ABB eSOMS versions 4.0 to 6.0.2, the HTTPOnly flag is not set. This can allow Javascript to access the cookie contents, which in turn might enable Cross Site Scripting...
CVE-2020-8115
A reflected XSS vulnerability has been discovered in the publicly accessible afr.php delivery script of Revive Adserver = 5.0.3 by Jacopo Tediosi. There are currently no known exploits: the session identifier cannot be accessed as it is stored in an http-only cookie as of v3.2.2. On older version...
jenkins: Diagnostic web page exposed Cookie HTTP header
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly...
CVE-2019-14849
A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information...
Red Hat 3scale Cross-Site Scripting Vulnerability
Red Hat 3scale is a suite of API Application Programming Interface lifecycle management software from Red Hat. A cross-site scripting vulnerability exists in Red Hat 3scale, which stems from a user session cookie that fails to set HTTPOnly, and can be exploited by an attacker to conduct cross-sit...
Centreon VM Memory Corruption Vulnerability
Centreon Merethis Centreon is a set of open source system monitoring tools from the French company Centreon . The product mainly provides monitoring capabilities for network, system and application resources.Centreon VM is the virtual machine version of Centreon. A security vulnerability exists i...
CVE-2019-8283
Hasplm cookie in Gemalto Admin Control Center, all versions prior to 7.92, does not have 'HttpOnly' flag. This allows malicious javascript to steal it...
Retrieval of HTTP-only cookies
More info at https://www.passbolt.com/incidents/20190211multiplevulnerabilities...
Console: HTTPOnly and Secure attributes not set on cookies in Red Hat AMQ
It was found that Hawtio console does not set HTTPOnly or Secure attributes on cookies. An attacker could use this flaw to rerieve an authenticated user's SessionID, and possibly conduct further attacks with the permissions of the authenticated user...
Mozilla Firefox Information Disclosure Vulnerability (CNVD-2018-02232)
Mozilla Firefox is an open source web browser developed by the Mozilla Foundation in the United States. A security vulnerability exists in versions prior to Mozilla Firefox 58. The vulnerability can be exploited by an attacker to access cookie values when an existing cookie is set to HttpOnly...
UBUNTU-CVE-2018-5114
If an existing cookie is changed to be "HttpOnly" while a document is open, the original value remains accessible through script until that document is closed. Network requests correctly use the changed HttpOnly cookie. This vulnerability affects Firefox 58...
DEBIAN-CVE-2015-2156
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name a...
CVE-2015-2156
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name a...
CVE-2016-5409
Red Hat OpenShift Enterprise 2 does not include the HTTPOnly flag in a Set-Cookie header for the GEARID cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to the cookies...
CVE-2016-2304
Ecava IntegraXor before 5.0 build 4522 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie...