Common Weakness Enumeration

CWE-1275

Allowed

Sensitive Cookie with Improper SameSite Attribute

Abstraction: Variant · Status: Incomplete

The SameSite attribute for sensitive cookies is not set, or an insecure value is used.

35 vulnerabilities reference this CWE, most recent first.

GHSA-FV45-RWVX-GXXG

Vulnerability from github – Published: 2026-02-03 21:31 – Updated: 2026-02-03 21:31
VLAI
Details

HCL AION is affected by a Cookie with Insecure, Improper, or Missing SameSite vulnerability. This can allow cookies to be sent in cross-site requests, potentially increasing exposure to cross-site request forgery and related security risks. This issue affects AION: 2.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-52628"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1275"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-03T19:16:12Z",
    "severity": "MODERATE"
  },
  "details": "HCL AION is affected by a Cookie with Insecure, Improper, or Missing SameSite vulnerability. This can  allow cookies to be sent in cross-site requests, potentially increasing exposure to cross-site request forgery and related security risks. This issue affects AION: 2.0.",
  "id": "GHSA-fv45-rwvx-gxxg",
  "modified": "2026-02-03T21:31:50Z",
  "published": "2026-02-03T21:31:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52628"
    },
    {
      "type": "WEB",
      "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0127972"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GQQ5-V4CW-9926

Vulnerability from github – Published: 2023-07-06 03:30 – Updated: 2024-04-04 05:25
VLAI
Details

Improper configuration in Samsung Internet prior to version 21.0.0.41 allows attacker to bypass SameSite Cookie.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-30674"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1275"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-06T03:15:12Z",
    "severity": "MODERATE"
  },
  "details": "Improper configuration in Samsung Internet prior to version 21.0.0.41 allows attacker to bypass SameSite Cookie.",
  "id": "GHSA-gqq5-v4cw-9926",
  "modified": "2024-04-04T05:25:46Z",
  "published": "2023-07-06T03:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30674"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2023\u0026month=07"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HR59-Q2GM-7HRJ

Vulnerability from github – Published: 2024-07-09 15:30 – Updated: 2024-07-16 18:31
VLAI
Details

A nested iframe, triggering a cross-site navigation, could send SameSite=Strict or Lax cookies. This vulnerability affects Firefox < 128.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6611"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1275"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-09T15:15:13Z",
    "severity": "CRITICAL"
  },
  "details": "A nested iframe, triggering a cross-site navigation, could send SameSite=Strict or Lax cookies. This vulnerability affects Firefox \u003c 128.",
  "id": "GHSA-hr59-q2gm-7hrj",
  "modified": "2024-07-16T18:31:42Z",
  "published": "2024-07-09T15:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6611"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1844827"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-29"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-32"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MPQ2-MV8P-9WM6

Vulnerability from github – Published: 2026-05-22 00:31 – Updated: 2026-06-24 21:18
VLAI
Summary
Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design
Details

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "concrete5/concrete5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0RC1"
            },
            {
              "fixed": "9.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-8413"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1275",
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-24T21:18:09Z",
    "nvd_published_at": "2026-05-21T22:16:51Z",
    "severity": "LOW"
  },
  "details": "Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design.",
  "id": "GHSA-mpq2-mv8p-9wm6",
  "modified": "2026-06-24T21:18:31Z",
  "published": "2026-05-22T00:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8413"
    },
    {
      "type": "WEB",
      "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/concretecms/concretecms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Concrete CMS is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design"
}

GHSA-XMFQ-XM97-G58P

Vulnerability from github – Published: 2025-11-25 15:31 – Updated: 2025-12-01 15:30
VLAI
Details

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1 could disclose sensitive information due to a missing or insecure SameSite attribute for a sensitive cookie.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36134"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1275"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-25T15:15:51Z",
    "severity": "LOW"
  },
  "details": "IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1\u00a0could disclose sensitive information due to a missing or insecure SameSite attribute for a sensitive cookie.",
  "id": "GHSA-xmfq-xm97-g58p",
  "modified": "2025-12-01T15:30:16Z",
  "published": "2025-11-25T15:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36134"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7252210"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Set the SameSite attribute of a sensitive cookie to 'Lax' or 'Strict'. This instructs the browser to apply this cookie only to same-domain requests, which provides a good Defense in Depth against CSRF attacks. When the 'Lax' value is in use, cookies are also sent for top-level cross-domain navigation via HTTP GET, HEAD, OPTIONS, and TRACE methods, but not for other HTTP methods that are more like to cause side-effects of state mutation.

CAPEC-62: Cross Site Request Forgery

An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply "riding" the existing session cookie.