PT-2026-42676

Name of the Vulnerable Software and Affected Versions NocoDB affected versions not specified Description The refresh-token cookie is configured with httpOnly: true but lacks the secure flag and the sameSite attribute. The absence of the secure flag allows the cookie to be intercepted over plain...

HCL AION 安全漏洞

HCL AION is an AI lifecycle management platform from HCL India. HCL AION suffers from a cross-site request forgery vulnerability that stems from a missing or insecure SameSite attribute of a cookie, and no detailed vulnerability details are provided at this time...

CVE-2023-4329

Broadcom RAID Controller web interface is vulnerable due to insecure default of HTTP configuration that does not safeguard SESSIONID cookie with SameSite attribute...

Brave Desktop 1.83.108 Security Fixes

Updated split view to respect SameSite attribute as reported on HackerOne by mingijung. - Removed incorrectly elided URL from shields panel as reported on HackerOne by apapedulimu. Upgraded Chromium to 141.0.7390.55 — refer to Google Chrome advisories for inherited CVEs...

HCL BigFix Compliance 安全漏洞

HCL BigFix Compliance is a continuous monitoring and application of endpoint security settings by HCL India to ensure compliance with regulatory or organizational security policies. A security vulnerability exists in HCL BigFix Compliance that stems from missing or improper SameSite attributes,...

CVE-2024-7806

A vulnerability in open-webui/open-webui versions = 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery CSRF. The application uses cookies with the SameSite attribute set to lax for authentication and lacks CSRF tokens. This allows an attacker to craft a malicious...

IBM Concert 安全漏洞

IBM Concert is an enterprise collaboration platform from IBM. IBM Concert suffers from a cross-site request forgery vulnerability vulnerability due to a failure to set the SameSite attribute for cookies. An attacker could exploit this vulnerability to conduct a cross-site request forgery CSRF...

PT-2024-5152 · Ibm · Ibm Cloud Pak For Security +1

Name of the Vulnerable Software and Affected Versions: IBM Cloud Pak for Security CP4S versions 1.10.0.0 through 1.10.11.0 IBM QRadar Suite for Software versions 1.10.12.0 through 1.10.19.0 Description: The issue is related to errors in security settings, specifically the failure to set the...

DRUPAL-CONTRIB-2023-051

The GraphQL module enables you to build GraphQL APIs which can include data fetching through Queries and data updates create, update, delete through mutations. The module does not sufficiently validate incoming requests that are made from domains other than the one serving the GraphQL endpoint. I...

CVE-2023-31999

All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be connected to...

Security Vulnerabilities fixed in Firefox 100 — Mozilla

When reusing existing popups Firefox would have allowed them to cover the fullscreen notification UI, which could have enabled browser spoofing attacks. Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existin...

Starbucks: Japan - CSRF in webapp.starbucks.co.jp with user interaction could leak an access token if the user was not using Chrome

elber discovered a CSRF in webapp.starbucks.co.jp leaked an access token if an authenticated user opened a crafted HTML file in a browser other than Chrome which has Same Site Attribute for the cookie set by default. elber also demonstrated the ability to add a Starbucks card to the account with...