Common Weakness Enumeration

CWE-565

Allowed

Reliance on Cookies without Validation and Integrity Checking

Abstraction: Base · Status: Incomplete

The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.

95 vulnerabilities reference this CWE, most recent first.

GHSA-RC4Q-9M69-GQP8

Vulnerability from github – Published: 2021-05-17 20:53 – Updated: 2021-05-17 20:29
VLAI
Summary
Lack of protection against cookie tossing attacks in fastify-csrf
Details

Impact

Users that used fastify-csrf with the "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service.

Patches

Version 3.1.0 of the fastify-csrf fixes it. See https://github.com/fastify/fastify-csrf/pull/51 and https://github.com/fastify/csrf/pull/2.

The user of the module would need to supply a userInfo when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains.

Workarounds

None available.

References

  1. https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
  2. https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf

Credits

This vulnerability was found by Xhelal Likaj xhelallikaj20@gmail.com.

For more information

If you have any questions or comments about this advisory: * Open an issue in fastify-csrf * Email us at hello@matteocollina.com

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "fastify-csrf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-29624"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352",
      "CWE-565"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-17T20:29:48Z",
    "nvd_published_at": "2021-05-19T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nUsers that used fastify-csrf with the \"double submit\" mechanism using cookies with an application deployed across multiple subdomains, e.g. \"heroku\"-style platform as a service. \n\n### Patches\n\nVersion 3.1.0 of the fastify-csrf fixes it. \nSee https://github.com/fastify/fastify-csrf/pull/51 and https://github.com/fastify/csrf/pull/2.\n\nThe user of the module would need to supply a `userInfo` when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains.\n\n### Workarounds\n\nNone available.\n\n### References\n\n1. https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html\n2. https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf\n\n### Credits\n\nThis vulnerability was found by Xhelal Likaj \u003cxhelallikaj20@gmail.com\u003e.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [fastify-csrf](https://github.com/fastify/fastify-csrf)\n* Email us at [hello@matteocollina.com](mailto:hello@matteocollina.com)\n",
  "id": "GHSA-rc4q-9m69-gqp8",
  "modified": "2021-05-17T20:29:48Z",
  "published": "2021-05-17T20:53:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify-csrf/security/advisories/GHSA-rc4q-9m69-gqp8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29624"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fastify/csrf/pull/2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify-csrf/pull/51"
    },
    {
      "type": "WEB",
      "url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify-csrf/releases/tag/v3.1.0"
    },
    {
      "type": "WEB",
      "url": "https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Lack of protection against cookie tossing attacks in fastify-csrf"
}

GHSA-RP6H-H28Q-45MQ

Vulnerability from github – Published: 2022-05-13 01:51 – Updated: 2022-05-13 01:51
VLAI
Details

EPON CPE-WiFi devices 2.0.4-X000 are vulnerable to escalation of privileges by sending cooLogin=1, cooUser=admin, and timestamp=-1 cookies.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-20512"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-565"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-03T19:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "EPON CPE-WiFi devices 2.0.4-X000 are vulnerable to escalation of privileges by sending cooLogin=1, cooUser=admin, and timestamp=-1 cookies.",
  "id": "GHSA-rp6h-h28q-45mq",
  "modified": "2022-05-13T01:51:04Z",
  "published": "2022-05-13T01:51:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20512"
    },
    {
      "type": "WEB",
      "url": "https://www.reddit.com/r/networking/comments/abu4kq/vulnerability_in_cdata_technologies_epon_cpewifi"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RWW7-MM5M-VX73

Vulnerability from github – Published: 2023-06-30 06:30 – Updated: 2024-04-04 05:18
VLAI
Details

Client-side enforcement of server-side security issue exists in WL-WN531AX2 firmware versions prior to 2023526, which may allow an attacker with an administrative privilege to execute OS commands with the root privilege.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-32612"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-565"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-30T05:15:09Z",
    "severity": "HIGH"
  },
  "details": "Client-side enforcement of server-side security issue exists in WL-WN531AX2 firmware versions prior to 2023526, which may allow an attacker with an administrative privilege to execute OS commands with the root privilege.",
  "id": "GHSA-rww7-mm5m-vx73",
  "modified": "2024-04-04T05:18:42Z",
  "published": "2023-06-30T06:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32612"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN78634340"
    },
    {
      "type": "WEB",
      "url": "https://www.wavlink.com/en_us/firmware/details/932108ffc5.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V2F2-VWC6-37GC

Vulnerability from github – Published: 2022-08-13 00:00 – Updated: 2022-08-16 00:00
VLAI
Details

Insufficient policy enforcement in Cookies in Google Chrome prior to 104.0.5112.79 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2615"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-565"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-12T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Insufficient policy enforcement in Cookies in Google Chrome prior to 104.0.5112.79 allowed a remote attacker to leak cross-origin data via a crafted HTML page.",
  "id": "GHSA-v2f2-vwc6-37gc",
  "modified": "2022-08-16T00:00:23Z",
  "published": "2022-08-13T00:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2615"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1268580"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-35"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VMHR-5QXJ-XVCM

Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-10-26 12:00
VLAI
Details

Improper Authentication vulnerability in the cookie parameter of Circutor SGE-PLC1000 firmware version 0.9.2b allows an attacker to perform operations as an authenticated user. In order to exploit this vulnerability, the attacker must be within the network where the device affected is located.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33842"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-565"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-09T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper Authentication vulnerability in the cookie parameter of Circutor SGE-PLC1000 firmware version 0.9.2b allows an attacker to perform operations as an authenticated user. In order to exploit this vulnerability, the attacker must be within the network where the device affected is located.",
  "id": "GHSA-vmhr-5qxj-xvcm",
  "modified": "2022-10-26T12:00:32Z",
  "published": "2022-05-24T19:04:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33842"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe-cert.es/en/early-warning/ics-advisories/circutor-sge-plc1000-improper-authentication"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/circutor-sge-plc1000-improper-authentication"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W2M4-XQG7-PFHG

Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19
VLAI
Details

An issue was discovered in LAOBANCMS 2.0. /admin/login.php allows spoofing of the id and guanliyuan cookies.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-19224"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-565"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-11-12T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in LAOBANCMS 2.0. /admin/login.php allows spoofing of the id and guanliyuan cookies.",
  "id": "GHSA-w2m4-xqg7-pfhg",
  "modified": "2022-05-13T01:19:45Z",
  "published": "2022-05-13T01:19:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19224"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AvaterXXX/laobanCMS/blob/master/1.md#unauthorized-access"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W3W9-VRF5-8MX8

Vulnerability from github – Published: 2022-09-16 18:48 – Updated: 2022-09-16 18:48
VLAI
Summary
ReactPHP's HTTP server parses encoded cookie names so malicious `__Host-` and `__Secure-` cookies can be sent
Details

Impact

In ReactPHP's HTTP server component versions below v1.7.0, when ReactPHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host- and __Secure- confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-7070 and CVE-2020-8184 for more information.

Patches

  • https://github.com/reactphp/http/commit/663c9a3b77b71463fa7fcb76a6676ffd16979dd6 - Fixed in reactphp/http v1.7.0

Workarounds

Infrastructure or DevOps can place a reverse proxy in front of the ReactPHP HTTP server to filter out any unexpected Cookie request headers.

References

  • CVE-2020-7070, https://bugs.php.net/bug.php?id=79699 and https://github.com/php/php-src/commit/6559fe912661ca5ce5f0eeeb591d928451428ed0
  • CVE-2020-8184, https://hackerone.com/reports/895727 and https://github.com/rack/rack/commit/1f5763de6a9fe515ff84992b343d63c88104654c
  • Originally introduced via https://github.com/reactphp/http/pull/175

Credits

  • Thanks to Marco Squarcina (TU Wien) for reporting this and working with us to coordinate this security advisory

For more information

If you have any questions or comments about this advisory:

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "react/http"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.7.0"
            },
            {
              "fixed": "1.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-36032"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-565"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-16T18:48:53Z",
    "nvd_published_at": "2022-09-06T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nIn ReactPHP\u0027s HTTP server component versions below v1.7.0, when ReactPHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like `__Host-` and `__Secure-` confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-7070 and CVE-2020-8184 for more information. \n\n### Patches\n\n* https://github.com/reactphp/http/commit/663c9a3b77b71463fa7fcb76a6676ffd16979dd6 - Fixed in [reactphp/http `v1.7.0`](https://github.com/reactphp/http/releases/tag/v1.7.0)\n\n### Workarounds\n\nInfrastructure or DevOps can place a reverse proxy in front of the ReactPHP HTTP server to filter out any unexpected `Cookie` request headers.\n\n### References\n\n* CVE-2020-7070, https://bugs.php.net/bug.php?id=79699 and https://github.com/php/php-src/commit/6559fe912661ca5ce5f0eeeb591d928451428ed0\n* CVE-2020-8184, https://hackerone.com/reports/895727 and https://github.com/rack/rack/commit/1f5763de6a9fe515ff84992b343d63c88104654c\n* Originally introduced via https://github.com/reactphp/http/pull/175\n\n### Credits\n\n* Thanks to Marco Squarcina (TU Wien) for reporting this and working with us to coordinate this security advisory\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* [Join the discussion](https://github.com/orgs/reactphp/discussions/465)\n* Email us at support@reactphp.org\n",
  "id": "GHSA-w3w9-vrf5-8mx8",
  "modified": "2022-09-16T18:48:53Z",
  "published": "2022-09-16T18:48:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/reactphp/http/security/advisories/GHSA-w3w9-vrf5-8mx8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36032"
    },
    {
      "type": "WEB",
      "url": "https://github.com/reactphp/http/pull/175"
    },
    {
      "type": "WEB",
      "url": "https://github.com/reactphp/http/commit/663c9a3b77b71463fa7fcb76a6676ffd16979dd6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/react/http/CVE-2022-36032.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/reactphp/http"
    },
    {
      "type": "WEB",
      "url": "https://github.com/reactphp/http/releases/tag/v1.7.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ReactPHP\u0027s HTTP server parses encoded cookie names so malicious `__Host-` and `__Secure-` cookies can be sent"
}

GHSA-W43V-QR8X-XQ75

Vulnerability from github – Published: 2022-06-30 00:00 – Updated: 2022-07-08 00:00
VLAI
Details

Textpattern CMS v4.8.7 and older vulnerability exists through Sensitive Cookie in HTTPS Session Without 'Secure' Attribute via textpattern/lib/txplib_misc.php. The secure flag is not set for txp_login session cookie in the application. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-40642"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-565"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-29T11:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Textpattern CMS v4.8.7 and older vulnerability exists through Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute via textpattern/lib/txplib_misc.php. The secure flag is not set for txp_login session cookie in the application. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie\u0027s scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site.",
  "id": "GHSA-w43v-qr8x-xq75",
  "modified": "2022-07-08T00:00:43Z",
  "published": "2022-06-30T00:00:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40642"
    },
    {
      "type": "WEB",
      "url": "https://github.com/textpattern/textpattern/commit/211fab0093999f59b0b61682aa988ac7d8337aa9"
    },
    {
      "type": "WEB",
      "url": "https://www.huntr.dev/bounties/aadbe434-a376-443b-876f-2a1cbab7847b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WMRX-G8F2-RGWH

Vulnerability from github – Published: 2023-06-20 21:30 – Updated: 2024-04-04 04:59
VLAI
Details

CloudPanel 2 before 2.3.1 has insecure file-manager cookie authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-35885"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-565"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-20T20:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "CloudPanel 2 before 2.3.1 has insecure file-manager cookie authentication.",
  "id": "GHSA-wmrx-g8f2-rgwh",
  "modified": "2024-04-04T04:59:06Z",
  "published": "2023-06-20T21:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35885"
    },
    {
      "type": "WEB",
      "url": "https://github.com/datackmy/FallingSkies-CVE-2023-35885"
    },
    {
      "type": "WEB",
      "url": "https://www.cloudpanel.io/docs/v2/changelog"
    },
    {
      "type": "WEB",
      "url": "https://www.datack.my/fallingskies-cloudpanel-0-day"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQX6-GHVG-724J

Vulnerability from github – Published: 2025-12-09 21:31 – Updated: 2025-12-09 21:31
VLAI
Details

COMMAX Biometric Access Control System 1.0.0 contains an authentication bypass vulnerability that allows unauthenticated attackers to access sensitive information and circumvent physical controls in smart homes and buildings by exploiting cookie poisoning. Attackers can forge cookies to bypass authentication and disclose sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47706"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-565"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-09T21:15:49Z",
    "severity": "HIGH"
  },
  "details": "COMMAX Biometric Access Control System 1.0.0 contains an authentication bypass vulnerability that allows unauthenticated attackers to access sensitive information and circumvent physical controls in smart homes and buildings by exploiting cookie poisoning. Attackers can forge cookies to bypass authentication and disclose sensitive information.",
  "id": "GHSA-wqx6-ghvg-724j",
  "modified": "2025-12-09T21:31:49Z",
  "published": "2025-12-09T21:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47706"
    },
    {
      "type": "WEB",
      "url": "https://www.commax.com"
    },
    {
      "type": "WEB",
      "url": "https://www.commax.com/product"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/50206"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/commax-biometric-access-control-system-authentication-bypass"
    },
    {
      "type": "WEB",
      "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5661.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design

Avoid using cookie data for a security-related decision.

Mitigation
Implementation

Perform thorough input validation (i.e.: server side validation) on the cookie data if you're going to use it for a security related decision.

Mitigation
Architecture and Design

Add integrity checks to detect tampering.

Mitigation
Architecture and Design

Protect critical cookies from replay attacks, since cross-site scripting or other attacks may allow attackers to steal a strongly-encrypted cookie that also passes integrity checks. This mitigation applies to cookies that should only be valid during a single transaction or session. By enforcing timeouts, you may limit the scope of an attack. As part of your integrity check, use an unpredictable, server-side value that is not exposed to the client.

CAPEC-226: Session Credential Falsification through Manipulation

An attacker manipulates an existing credential in order to gain access to a target application. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. An attacker may be able to manipulate a credential sniffed from an existing connection in order to gain access to a target server.

CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies

This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.

CAPEC-39: Manipulating Opaque Client-based Data Tokens

In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.