CWE-565
AllowedReliance on Cookies without Validation and Integrity Checking
Abstraction: Base · Status: Incomplete
The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.
95 vulnerabilities reference this CWE, most recent first.
GHSA-9G7F-GMJ5-MXVQ
Vulnerability from github – Published: 2022-05-17 00:42 – Updated: 2024-02-08 03:32V3 Chat - Profiles/Dating Script 3.0.2 allows remote attackers to bypass authentication and gain administrative access by setting the admin cookie to 1.
{
"affected": [],
"aliases": [
"CVE-2008-5784"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-565"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-12-31T11:30:00Z",
"severity": "HIGH"
},
"details": "V3 Chat - Profiles/Dating Script 3.0.2 allows remote attackers to bypass authentication and gain administrative access by setting the admin cookie to 1.",
"id": "GHSA-9g7f-gmj5-mxvq",
"modified": "2024-02-08T03:32:44Z",
"published": "2022-05-17T00:42:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5784"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46479"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/7063"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/32603"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/32216"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2008/3071"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C8F6-FGC7-QF74
Vulnerability from github – Published: 2023-09-18 21:30 – Updated: 2024-03-21 03:35** UNSUPPPORTED WHEN ASSIGNED **
Session management within the web application is incorrect and allows attackers to steal session cookies to perform a multitude of actions that the web app allows on the device.
{
"affected": [],
"aliases": [
"CVE-2023-41084"
],
"database_specific": {
"cwe_ids": [
"CWE-565"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-18T20:15:10Z",
"severity": "CRITICAL"
},
"details": "** UNSUPPPORTED WHEN ASSIGNED ** \n\n\n\n\n\n\n\n\n\n\nSession management within the web application is incorrect and allows attackers to steal session cookies to perform a multitude of actions that the web app allows on the device.\n\n\n\n\n\n\n\n\n\n\n\n",
"id": "GHSA-c8f6-fgc7-qf74",
"modified": "2024-03-21T03:35:46Z",
"published": "2023-09-18T21:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41084"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-250-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C9C3-4C2F-4W5R
Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-07-13 00:01DMA Softlab Radius Manager 4.4.0 assigns the same session cookie to every admin session. The cookie is valid when the admin is logged in, but is invalid (temporarily) during times when the admin is logged out. In other words, the cookie is functionally equivalent to a static password, and thus provides permanent access if stolen.
{
"affected": [],
"aliases": [
"CVE-2021-29012"
],
"database_specific": {
"cwe_ids": [
"CWE-565"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-02T13:15:00Z",
"severity": "CRITICAL"
},
"details": "DMA Softlab Radius Manager 4.4.0 assigns the same session cookie to every admin session. The cookie is valid when the admin is logged in, but is invalid (temporarily) during times when the admin is logged out. In other words, the cookie is functionally equivalent to a static password, and thus provides permanent access if stolen.",
"id": "GHSA-c9c3-4c2f-4w5r",
"modified": "2022-07-13T00:01:15Z",
"published": "2022-05-24T17:46:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29012"
},
{
"type": "WEB",
"url": "https://github.com/1d8/publications/tree/main/cve-2021-29012"
},
{
"type": "WEB",
"url": "https://sourceforge.net/projects/radiusmanager"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/164154/DMA-Softlab-Radius-Manager-4.4.0-Session-Management-Cross-Site-Scripting.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CG3Q-59W7-RVC2
Vulnerability from github – Published: 2021-09-29 17:12 – Updated: 2021-09-28 20:32grav is vulnerable to Reliance on Cookies without Validation and Integrity Checking. A cookie with an overly broad path can be accessed through other applications on the same domain. Since cookies often carry sensitive information such as session identifiers, sharing cookies across applications can lead a vulnerability in one application to cause a compromise in another.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "getgrav/grav"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.21"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-3818"
],
"database_specific": {
"cwe_ids": [
"CWE-565"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-28T20:32:37Z",
"nvd_published_at": "2021-09-27T13:15:00Z",
"severity": "MODERATE"
},
"details": "grav is vulnerable to Reliance on Cookies without Validation and Integrity Checking. A cookie with an overly broad path can be accessed through other applications on the same domain. Since cookies often carry sensitive information such as session identifiers, sharing cookies across applications can lead a vulnerability in one application to cause a compromise in another.",
"id": "GHSA-cg3q-59w7-rvc2",
"modified": "2021-09-28T20:32:37Z",
"published": "2021-09-29T17:12:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/commit/c51fb1779b83f620c0b6f3548d4a96322b55df07"
},
{
"type": "PACKAGE",
"url": "https://github.com/getgrav/grav"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/c2bc65af-7b93-4020-886e-8cdaeb0a58ea"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Reliance on Cookies without Validation and Integrity Checking in getgrav/grav"
}
GHSA-CH9M-4JXR-G98Q
Vulnerability from github – Published: 2022-09-13 00:00 – Updated: 2022-09-16 00:00UCMS v1.6.0 contains an authentication bypass vulnerability which is exploited via cookie poisoning.
{
"affected": [],
"aliases": [
"CVE-2022-38297"
],
"database_specific": {
"cwe_ids": [
"CWE-565"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-12T23:15:00Z",
"severity": "CRITICAL"
},
"details": "UCMS v1.6.0 contains an authentication bypass vulnerability which is exploited via cookie poisoning.",
"id": "GHSA-ch9m-4jxr-g98q",
"modified": "2022-09-16T00:00:39Z",
"published": "2022-09-13T00:00:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38297"
},
{
"type": "WEB",
"url": "https://github.com/tobysunyaya/UCMS_vulunerablities/blob/main/UCMS%20v1.6%20cookies%20poisoning%20attack%20vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CPCP-57XW-48RV
Vulnerability from github – Published: 2026-06-17 21:34 – Updated: 2026-06-17 21:34Hermes WebUI before 0.51.368 contains an authorization bypass vulnerability in the get_profile_cookie() function that accepts unauthenticated profile names from the hermes_profile cookie. An authenticated attacker can forge the hermes_profile cookie value to bypass profile-scoped authorization checks and access sessions, files, and resources across different profiles.
{
"affected": [],
"aliases": [
"CVE-2026-53871"
],
"database_specific": {
"cwe_ids": [
"CWE-565"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-17T19:18:11Z",
"severity": "HIGH"
},
"details": "Hermes WebUI before 0.51.368 contains an authorization bypass vulnerability in the get_profile_cookie() function that accepts unauthenticated profile names from the hermes_profile cookie. An authenticated attacker can forge the hermes_profile cookie value to bypass profile-scoped authorization checks and access sessions, files, and resources across different profiles.",
"id": "GHSA-cpcp-57xw-48rv",
"modified": "2026-06-17T21:34:38Z",
"published": "2026-06-17T21:34:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53871"
},
{
"type": "WEB",
"url": "https://github.com/nesquena/hermes-webui/pull/4023"
},
{
"type": "WEB",
"url": "https://github.com/nesquena/hermes-webui/pull/4036"
},
{
"type": "WEB",
"url": "https://github.com/nesquena/hermes-webui/commit/9e96f5f6adf93b6d1e27ebddfb4d2833ca06ff3b"
},
{
"type": "WEB",
"url": "https://github.com/nesquena/hermes-webui/releases/tag/v0.51.368"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/hermes-webui-profile-scoped-authorization-bypass-via-forged-hermes-profile-cookie"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-CQ85-4F5H-QQC4
Vulnerability from github – Published: 2024-02-20 15:31 – Updated: 2024-11-20 00:32Set-Cookie response headers were being incorrectly honored in multipart HTTP responses. If an attacker could control the Content-Type response header, as well as control part of the response body, they could inject Set-Cookie response headers that would have been honored by the browser. This vulnerability affects Firefox < 123 and Firefox ESR < 115.8.
{
"affected": [],
"aliases": [
"CVE-2024-1551"
],
"database_specific": {
"cwe_ids": [
"CWE-565"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-20T14:15:08Z",
"severity": "MODERATE"
},
"details": "Set-Cookie response headers were being incorrectly honored in multipart HTTP responses. If an attacker could control the Content-Type response header, as well as control part of the response body, they could inject Set-Cookie response headers that would have been honored by the browser. This vulnerability affects Firefox \u003c 123 and Firefox ESR \u003c 115.8.",
"id": "GHSA-cq85-4f5h-qqc4",
"modified": "2024-11-20T00:32:08Z",
"published": "2024-02-20T15:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1551"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1864385"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00000.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00001.html"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-05"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-06"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-07"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CWMX-HCRQ-MHC3
Vulnerability from github – Published: 2022-05-25 18:09 – Updated: 2022-06-20 22:02Impact
Previous version of Guzzle contain a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. For example an attacker at www.example.com might set a session cookie for api.example.net, logging the Guzzle client into their account and retrieving private API requests from the security log of their account.
Note that our cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability.
Patches
Affected Guzzle 7 users should upgrade to Guzzle 7.4.3 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.6 or 7.4.3.
Workarounds
If you do not need support for cookies, turn off the cookie middleware. It is already off by default, but if you have turned it on and no longer need it, turn it off.
References
For more information
If you have any questions or comments about this advisory, please get in touch with us in #guzzle on the PHP HTTP Slack. Do not report additional security advisories in that public channel, however - please follow our vulnerability reporting process.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "guzzlehttp/guzzle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.5.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "guzzlehttp/guzzle"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.4.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-29248"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-565"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-25T18:09:55Z",
"nvd_published_at": "2022-05-25T18:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nPrevious version of Guzzle contain a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the `Set-Cookie` header, allowing a malicious server to set cookies for unrelated domains. For example an attacker at `www.example.com` might set a session cookie for `api.example.net`, logging the Guzzle client into their account and retrieving private API requests from the security log of their account.\n\nNote that our cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with `[\u0027cookies\u0027 =\u003e true]` are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability.\n\n### Patches\n\nAffected Guzzle 7 users should upgrade to Guzzle 7.4.3 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.6 or 7.4.3.\n\n### Workarounds\n\nIf you do not need support for cookies, turn off the cookie middleware. It is already off by default, but if you have turned it on and no longer need it, turn it off.\n\n### References\n\n* [RFC6265 Section 5.3](https://datatracker.ietf.org/doc/html/rfc6265#section-5.3)\n* [RFC9110 Section 15.4](https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx)\n\n### For more information\n\nIf you have any questions or comments about this advisory, please get in touch with us in `#guzzle` on the [PHP HTTP Slack](https://php-http.slack.com/). Do not report additional security advisories in that public channel, however - please follow our [vulnerability reporting process](https://github.com/guzzle/guzzle/security/policy).\n",
"id": "GHSA-cwmx-hcrq-mhc3",
"modified": "2022-06-20T22:02:17Z",
"published": "2022-05-25T18:09:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29248"
},
{
"type": "WEB",
"url": "https://github.com/guzzle/guzzle/pull/3018"
},
{
"type": "WEB",
"url": "https://github.com/guzzle/guzzle/commit/74a8602c6faec9ef74b7a9391ac82c5e65b1cdab"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/guzzle/CVE-2022-29248.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/guzzle/guzzle"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5246"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-core-2022-010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Cross-domain cookie leakage in Guzzle"
}
GHSA-F3GR-956R-2X26
Vulnerability from github – Published: 2023-02-01 21:30 – Updated: 2023-02-10 18:30All versions of Landis+Gyr E850 (ZMQ200) are vulnerable to CWE-784: Reliance on Cookies Without Validation and Integrity. The device's web application navigation depends on the value of the session cookie. The web application could become inaccessible for the user if an attacker changes the cookie values.
{
"affected": [],
"aliases": [
"CVE-2022-3083"
],
"database_specific": {
"cwe_ids": [
"CWE-565",
"CWE-784"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-01T21:15:00Z",
"severity": "MODERATE"
},
"details": "All versions of Landis+Gyr E850 (ZMQ200) are vulnerable to CWE-784: Reliance on Cookies Without Validation and Integrity. The device\u0027s web application navigation depends on the value of the session cookie. The web application could become inaccessible for the user if an attacker changes the cookie values.",
"id": "GHSA-f3gr-956r-2x26",
"modified": "2023-02-10T18:30:30Z",
"published": "2023-02-01T21:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3083"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-026-07"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-FPCR-G545-M542
Vulnerability from github – Published: 2022-02-17 00:00 – Updated: 2022-02-24 00:01WAGO 750-8212 PFC200 G2 2ETH RS Firmware version 03.05.10(17) is affected by a privilege escalation vulnerability. Improper handling of user cookies leads to escalating privileges to administrative account of the router.
{
"affected": [],
"aliases": [
"CVE-2021-46388"
],
"database_specific": {
"cwe_ids": [
"CWE-565"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-16T11:15:00Z",
"severity": "HIGH"
},
"details": "WAGO 750-8212 PFC200 G2 2ETH RS Firmware version 03.05.10(17) is affected by a privilege escalation vulnerability. Improper handling of user cookies leads to escalating privileges to administrative account of the router.",
"id": "GHSA-fpcr-g545-m542",
"modified": "2022-02-24T00:01:01Z",
"published": "2022-02-17T00:00:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46388"
},
{
"type": "WEB",
"url": "https://drive.google.com/drive/folders/1FDtxZayLeSITcqP72c7FsTOpAFGFePVE"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/166159/WAGO-750-8212-PFC200-G2-2ETH-RS-Privilege-Escalation.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Avoid using cookie data for a security-related decision.
Mitigation
Perform thorough input validation (i.e.: server side validation) on the cookie data if you're going to use it for a security related decision.
Mitigation
Add integrity checks to detect tampering.
Mitigation
Protect critical cookies from replay attacks, since cross-site scripting or other attacks may allow attackers to steal a strongly-encrypted cookie that also passes integrity checks. This mitigation applies to cookies that should only be valid during a single transaction or session. By enforcing timeouts, you may limit the scope of an attack. As part of your integrity check, use an unpredictable, server-side value that is not exposed to the client.
CAPEC-226: Session Credential Falsification through Manipulation
An attacker manipulates an existing credential in order to gain access to a target application. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. An attacker may be able to manipulate a credential sniffed from an existing connection in order to gain access to a target server.
CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies
This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.
CAPEC-39: Manipulating Opaque Client-based Data Tokens
In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.