16 matches found
CVE-2025-34412
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because it identified a vulnerability in a SaaS product that does not require user action...
EUVD-2025-203381
The Convercent Whistleblowing Platform operated by EQS Group contains a protection mechanism failure in its browser and session handling. By default, affected deployments omit HTTP security headers such as Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy,...
EUVD-2024-2303
Malicious code in bioql PyPI...
GHSA-43G4-487M-5Q6M Open WebUI Vulnerable to a Session Fixation Attack
A vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session fixation attack. The session cookie for all users is set with the default SameSite=Lax and does not have the Secure flag enabled, allowing the session cookie to be sent over HT...
Open WebUI Vulnerable to a Session Fixation Attack
A vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session fixation attack. The session cookie for all users is set with the default SameSite=Lax and does not have the Secure flag enabled, allowing the session cookie to be sent over HT...
Oracle Linux 8 : tomcat (ELSA-2023-7065)
The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-7065 advisory. - Resolves: 2210630 CVE-2023-28709 tomcat - Resolves: 2181448 CVE-2023-28708 tomcat: not including the secure attribute causes information disclosure...
Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.6.2.7)
The version of AOS installed on the remote host is prior to 6.6.2.7. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-6.6.2.7 advisory. - A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did n...
Huawei EulerOS: Security Advisory for php (EulerOS-SA-2023-2196)
The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Security Bulletin: IBM CICS TX Standard is vulnerable to allowing attackers access to an application via insecure session cookies (CVE-2022-34313).
Summary IBM CICS TX Standard could allow attackers to access an application via insecure session cookies. The fix removes this vulnerability CVE-2022-34313 from IBM CICS TX Standard. Vulnerability Details CVEID:CVE-2022-34313 DESCRIPTION: IBM CICS TX does not set the secure attribute on...
Security Bulletin: IBM CICS TX Advanced is vulnerable to allowing an attacker to access an application via insecure session cookies (CVE-2022-34313).
Summary IBM CICS TX Advanced could allow an attacker access to an application via insecure session cookies. The fix removes this vulnerability CVE-2022-34313 from IBM CICS TX Advanced. Vulnerability Details CVEID:CVE-2022-34313 DESCRIPTION: IBM CICS TX does not set the secure attribute on...
CVE-2022-34313 IBM CICS TX Standard is vulnerable to allowing attackers access to an application via insecure session cookies
IBM CICS TX 11.1 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can...
CVE-2022-34313 IBM CICS TX Standard is vulnerable to allowing attackers access to an application via insecure session cookies
IBM CICS TX 11.1 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can...
CVE-2022-22329
IBM Control Desk 7.6.1 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacke...
Mail.ru: CSRF + XSS leads to ATO
Reflected XSS on dwar.mail.ru via POST parameter formnick There was a Self-XSS issue on Request with no CSRF Protection leading to full Account Takeover due to Insecure Session Cookies...
ManageEngine MSPCentral 9 CSRF / Cross Site Scripting Vulnerability
ManageEngine MSPCentral version 9 suffers from cross site request forgery, insecure session cookies, and cross site scripting vulnerabilities. Multiple vulnerabilities in ManageEngine MSPCentral 9 ------------------------------------------------------------ Background ---------- At Kiwicon 6 in m...
ManageEngine MSPCentral 9 Cross Site Request Forgery / Cross Site Scripting
-------------------------------------------------------------- REDACTED REDACTED REDACTED REDACTED REDACTED REDACTED REDACTED ADVISORY ADVISORY ADVISORY ADVISORY ADVISORY ADVISORY ADVISORY -------------------------------------------------------------- RA004: Multiple vulnerabilities in ManageEngi...