Common Weakness Enumeration

CWE-1275

Allowed

Sensitive Cookie with Improper SameSite Attribute

Abstraction: Variant · Status: Incomplete

The SameSite attribute for sensitive cookies is not set, or an insecure value is used.

35 vulnerabilities reference this CWE, most recent first.

CVE-2024-42212 (GCVE-0-2024-42212)

Vulnerability from cvelistv5 – Published: 2025-05-05 18:40 – Updated: 2025-05-05 19:01
VLAI
Title
HCL BigFix Compliance is affected by an improper or missing SameSite attribute
Summary
HCL BigFix Compliance is affected by an improper or missing SameSite attribute. This can lead to Cross-Site Request Forgery (CSRF) attacks, where a malicious site could trick a user's browser into making unintended requests using authenticated sessions.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1275 - Sensitive Cookie with Improper SameSite Attribute
Assigner
HCL
Impacted products
Date Public
2025-05-05 17:27
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-42212",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-05T19:00:09.530206Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-05T19:01:02.378Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "HCL BigFix Compliance",
          "vendor": "HCL Software",
          "versions": [
            {
              "status": "affected",
              "version": "2.0.12"
            }
          ]
        }
      ],
      "datePublic": "2025-05-05T17:27:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHCL BigFix Compliance is affected by an improper or missing SameSite attribute.  This can lead to Cross-Site Request Forgery (CSRF) attacks, where a malicious site could trick a user\u0027s browser into making unintended requests using authenticated sessions.\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "HCL BigFix Compliance is affected by an improper or missing SameSite attribute.  This can lead to Cross-Site Request Forgery (CSRF) attacks, where a malicious site could trick a user\u0027s browser into making unintended requests using authenticated sessions."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1275",
              "description": "CWE-1275  Sensitive Cookie with Improper SameSite Attribute",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-05T18:40:57.390Z",
        "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "shortName": "HCL"
      },
      "references": [
        {
          "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0120961"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "HCL BigFix Compliance is affected by an improper or missing SameSite attribute",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
    "assignerShortName": "HCL",
    "cveId": "CVE-2024-42212",
    "datePublished": "2025-05-05T18:40:57.390Z",
    "dateReserved": "2024-07-29T21:32:16.370Z",
    "dateUpdated": "2025-05-05T19:01:02.378Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-30155 (GCVE-0-2024-30155)

Vulnerability from cvelistv5 – Published: 2025-03-26 07:59 – Updated: 2025-03-26 14:29
VLAI
Title
HCL SX is susceptible to cookie with Insecure, Improper, or Missing SameSite attribute vulnerability
Summary
HCL SX does not set the secure attribute on authorization tokens or session cookies. Attackers may potentially be able to obtain access to the cookie values via a Cross-Site-Forgery-Request (CSRF).
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1275 - Sensitive Cookie with Improper SameSite Attribute
Assigner
HCL
Impacted products
Date Public
2025-03-26 07:58
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-30155",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-26T14:29:09.054026Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-26T14:29:40.392Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "HCL SX",
          "vendor": "HCL Software",
          "versions": [
            {
              "status": "affected",
              "version": "21"
            }
          ]
        }
      ],
      "datePublic": "2025-03-26T07:58:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "HCL SX does not set the secure attribute on authorization tokens or session cookies. Attackers may potentially be able to obtain access to the cookie values via a Cross-Site-Forgery-Request (CSRF).\u0026nbsp;\u003cbr\u003e"
            }
          ],
          "value": "HCL SX does not set the secure attribute on authorization tokens or session cookies. Attackers may potentially be able to obtain access to the cookie values via a Cross-Site-Forgery-Request (CSRF)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1275",
              "description": "CWE-1275 Sensitive Cookie with Improper SameSite Attribute",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-26T07:59:52.442Z",
        "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "shortName": "HCL"
      },
      "references": [
        {
          "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0120110"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "HCL SX is susceptible to cookie with Insecure, Improper, or Missing SameSite attribute vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
    "assignerShortName": "HCL",
    "cveId": "CVE-2024-30155",
    "datePublished": "2025-03-26T07:59:52.442Z",
    "dateReserved": "2024-03-22T23:57:26.414Z",
    "dateUpdated": "2025-03-26T14:29:40.392Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-53957 (GCVE-0-2023-53957)

Vulnerability from cvelistv5 – Published: 2025-12-19 21:05 – Updated: 2026-04-07 14:08
VLAI
Title
Kimai 1.30.10 SameSite Cookie Vulnerability Session Hijacking
Summary
Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie information to a file, enabling potential session hijacking.
SSVC
Exploitation: poc Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-1275 - Sensitive Cookie with Improper SameSite Attribute
Assigner
Impacted products
Vendor Product Version
Kimai Kimai Affected: 1.30.10
Create a notification for this product.
Date Public
2023-04-06 00:00
Credits
nu11secur1ty
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-53957",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-19T21:36:13.015775Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-19T21:41:07.772Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Kimai",
          "vendor": "Kimai",
          "versions": [
            {
              "status": "affected",
              "version": "1.30.10"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:kimai:kimai:1.30.10:*:*:*:*:*:*:*",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "nu11secur1ty"
        }
      ],
      "datePublic": "2023-04-06T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie information to a file, enabling potential session hijacking."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS"
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1275",
              "description": "Sensitive Cookie with Improper SameSite Attribute",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-07T14:08:11.817Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "ExploitDB-51278",
          "tags": [
            "exploit"
          ],
          "url": "https://www.exploit-db.com/exploits/51278"
        },
        {
          "name": "Official Product Homepage",
          "tags": [
            "product"
          ],
          "url": "https://github.com/kimai/kimai/releases/tag/1.30.10"
        },
        {
          "name": "VulnCheck Advisory: Kimai 1.30.10 SameSite Cookie Vulnerability Session Hijacking",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/kimai-samesite-cookie-vulnerability-session-hijacking"
        }
      ],
      "title": "Kimai 1.30.10 SameSite Cookie Vulnerability Session Hijacking",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2023-53957",
    "datePublished": "2025-12-19T21:05:52.561Z",
    "dateReserved": "2025-12-19T14:03:57.723Z",
    "dateUpdated": "2026-04-07T14:08:11.817Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-38386 (GCVE-0-2022-38386)

Vulnerability from cvelistv5 – Published: 2024-05-01 12:48 – Updated: 2024-08-03 10:54
VLAI
Title
IBM Cloud Pak for Security information disclosure
Summary
IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite for Software 1.10.12.0 through 1.10.19.0 does not set the SameSite attribute for sensitive cookies which could allow an attacker to obtain sensitive information using man-in-the-middle techniques. IBM X-Force ID: 233778.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-1275 - Sensitive Cookie with Improper SameSite Attribute
Assigner
ibm
Impacted products
Vendor Product Version
IBM Cloud Pak for Security Affected: 1.10.0.0 , ≤ 1.10.11.0 (semver)
Create a notification for this product.
IBM QRadar Suite for Software Affected: 1.10.12.0 , ≤ 1.10.19.0 (semver)
Create a notification for this product.
ibm cloud_pak_for_security Affected: 1.10.0.0 , ≤ 1.10.11.0 (semver)
    cpe:2.3:a:ibm:cloud_pak_for_security:1.10.0.0:*:*:*:*:*:*:*
Create a notification for this product.
ibm qradar_suite Affected: 1.10.12.0 , ≤ 1.10.19.0 (semver)
    cpe:2.3:a:ibm:qradar_suite:1.10.12.0:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:ibm:cloud_pak_for_security:1.10.0.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "cloud_pak_for_security",
            "vendor": "ibm",
            "versions": [
              {
                "lessThanOrEqual": "1.10.11.0",
                "status": "affected",
                "version": "1.10.0.0",
                "versionType": "semver"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:ibm:qradar_suite:1.10.12.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "qradar_suite",
            "vendor": "ibm",
            "versions": [
              {
                "lessThanOrEqual": "1.10.19.0",
                "status": "affected",
                "version": "1.10.12.0",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-38386",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-01T15:13:52.205598Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:16:50.033Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T10:54:03.704Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.ibm.com/support/pages/node/7149811"
          },
          {
            "tags": [
              "vdb-entry",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/233778"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Cloud Pak for Security",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "1.10.11.0",
              "status": "affected",
              "version": "1.10.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "QRadar Suite for Software",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "1.10.19.0",
              "status": "affected",
              "version": "1.10.12.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite for Software 1.10.12.0 through 1.10.19.0 does not set the SameSite attribute for sensitive cookies which could allow an attacker to obtain sensitive information using man-in-the-middle techniques.  IBM X-Force ID:  233778."
            }
          ],
          "value": "IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite for Software 1.10.12.0 through 1.10.19.0 does not set the SameSite attribute for sensitive cookies which could allow an attacker to obtain sensitive information using man-in-the-middle techniques.  IBM X-Force ID:  233778."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1275",
              "description": "CWE-1275 Sensitive Cookie with Improper SameSite Attribute",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-01T12:48:12.167Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.ibm.com/support/pages/node/7149811"
        },
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/233778"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "IBM Cloud Pak for Security information disclosure",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2022-38386",
    "datePublished": "2024-05-01T12:48:12.167Z",
    "dateReserved": "2022-08-16T18:42:49.432Z",
    "dateUpdated": "2024-08-03T10:54:03.704Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-26M8-335M-QJ22

Vulnerability from github – Published: 2025-03-26 09:31 – Updated: 2025-03-26 09:31
VLAI
Details

HCL SX does not set the secure attribute on authorization tokens or session cookies. Attackers may potentially be able to obtain access to the cookie values via a Cross-Site-Forgery-Request (CSRF).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-30155"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1275"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-26T08:15:12Z",
    "severity": "MODERATE"
  },
  "details": "HCL SX does not set the secure attribute on authorization tokens or session cookies. Attackers may potentially be able to obtain access to the cookie values via a Cross-Site-Forgery-Request (CSRF).",
  "id": "GHSA-26m8-335m-qj22",
  "modified": "2025-03-26T09:31:50Z",
  "published": "2025-03-26T09:31:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30155"
    },
    {
      "type": "WEB",
      "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0120110"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3FP6-H65V-MPRR

Vulnerability from github – Published: 2024-05-01 15:30 – Updated: 2024-05-01 15:30
VLAI
Details

IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite for Software 1.10.12.0 through 1.10.19.0 does not set the SameSite attribute for sensitive cookies which could allow an attacker to obtain sensitive information using man-in-the-middle techniques. IBM X-Force ID: 233778.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38386"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1275"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-01T13:15:47Z",
    "severity": "MODERATE"
  },
  "details": "IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite for Software 1.10.12.0 through 1.10.19.0 does not set the SameSite attribute for sensitive cookies which could allow an attacker to obtain sensitive information using man-in-the-middle techniques.  IBM X-Force ID:  233778.",
  "id": "GHSA-3fp6-h65v-mprr",
  "modified": "2024-05-01T15:30:34Z",
  "published": "2024-05-01T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38386"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/233778"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7149811"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5R8W-HMFJ-P69P

Vulnerability from github – Published: 2024-10-22 18:32 – Updated: 2024-10-22 18:32
VLAI
Details

IBM Concert 1.0.0 and 1.0.1 vulnerable to attacks that rely on the use of cookies without the SameSite attribute.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43173"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1275"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-22T15:15:06Z",
    "severity": "LOW"
  },
  "details": "IBM Concert 1.0.0 and 1.0.1 vulnerable to attacks that rely on the use of cookies without the SameSite attribute.",
  "id": "GHSA-5r8w-hmfj-p69p",
  "modified": "2024-10-22T18:32:11Z",
  "published": "2024-10-22T18:32:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43173"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7173596"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9F25-WFQC-782V

Vulnerability from github – Published: 2025-03-10 12:30 – Updated: 2025-03-24 15:30
VLAI
Details

A vulnerability in OTRS Application Server allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. A request to an OTRS endpoint from a possible malicious web site, would send the authentication cookie, performing an unwanted read operation.  

This issue affects:

  • OTRS 7.0.X
  • OTRS 8.0.X
  • OTRS 2023.X
  • OTRS 2024.X
  • OTRS 2025.x
Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-24387"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1275",
      "CWE-352"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-10T10:15:14Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in OTRS Application Server allows session hijacking due to missing attributes for sensitive \ncookie settings in HTTPS sessions. A request to an OTRS endpoint from a possible malicious web site, would send the authentication cookie, performing an unwanted read operation.\n\u00a0\n\nThis issue affects:\n\n  *  OTRS 7.0.X\n  *  OTRS 8.0.X\n  *  OTRS 2023.X\n  *  OTRS 2024.X\n  *  OTRS 2025.x",
  "id": "GHSA-9f25-wfqc-782v",
  "modified": "2025-03-24T15:30:38Z",
  "published": "2025-03-10T12:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24387"
    },
    {
      "type": "WEB",
      "url": "https://otrs.com/release-notes/otrs-security-advisory-2025-05"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C6MV-WGP4-CGJ2

Vulnerability from github – Published: 2025-05-05 21:31 – Updated: 2025-05-05 21:31
VLAI
Details

HCL BigFix Compliance is affected by an improper or missing SameSite attribute. This can lead to Cross-Site Request Forgery (CSRF) attacks, where a malicious site could trick a user's browser into making unintended requests using authenticated sessions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-42212"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1275"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-05T19:15:55Z",
    "severity": "MODERATE"
  },
  "details": "HCL BigFix Compliance is affected by an improper or missing SameSite attribute.  This can lead to Cross-Site Request Forgery (CSRF) attacks, where a malicious site could trick a user\u0027s browser into making unintended requests using authenticated sessions.",
  "id": "GHSA-c6mv-wgp4-cgj2",
  "modified": "2025-05-05T21:31:28Z",
  "published": "2025-05-05T21:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42212"
    },
    {
      "type": "WEB",
      "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0120961"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CV8H-R7R5-VWJ9

Vulnerability from github – Published: 2025-12-19 21:30 – Updated: 2026-02-20 18:25
VLAI
Summary
Kimai contains a SameSite cookie vulnerability
Details

Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie information to a file, enabling potential session hijacking.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "kimai/kimai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.30.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-53957"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1275"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-20T18:25:02Z",
    "nvd_published_at": "2025-12-19T21:15:52Z",
    "severity": "HIGH"
  },
  "details": "Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie information to a file, enabling potential session hijacking.",
  "id": "GHSA-cv8h-r7r5-vwj9",
  "modified": "2026-02-20T18:25:02Z",
  "published": "2025-12-19T21:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53957"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kimai/kimai"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/51278"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/kimai-samesite-cookie-vulnerability-session-hijacking"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Kimai contains a SameSite cookie vulnerability"
}

Mitigation
Implementation

Set the SameSite attribute of a sensitive cookie to 'Lax' or 'Strict'. This instructs the browser to apply this cookie only to same-domain requests, which provides a good Defense in Depth against CSRF attacks. When the 'Lax' value is in use, cookies are also sent for top-level cross-domain navigation via HTTP GET, HEAD, OPTIONS, and TRACE methods, but not for other HTTP methods that are more like to cause side-effects of state mutation.

CAPEC-62: Cross Site Request Forgery

An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply "riding" the existing session cookie.