CWE-614
AllowedSensitive Cookie in HTTPS Session Without 'Secure' Attribute
Abstraction: Variant · Status: Draft
The Secure attribute for sensitive cookies in HTTPS sessions is not set.
115 vulnerabilities reference this CWE, most recent first.
GHSA-M6JH-HGC7-XGGX
Vulnerability from github – Published: 2026-04-16 06:31 – Updated: 2026-04-22 21:31Eaton Intelligent Power Protector (IPP) uses an insecure cookie configuration, which could allow a network‑based attacker to intercept the cookie and exploit it through a man‑in‑the‑middle attack. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre.
{
"affected": [],
"aliases": [
"CVE-2026-22617"
],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-16T06:16:08Z",
"severity": "MODERATE"
},
"details": "Eaton Intelligent Power Protector (IPP) uses an insecure cookie configuration, which could allow a network\u2011based attacker to intercept the cookie and exploit it through a man\u2011in\u2011the\u2011middle attack.\u00a0This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre.",
"id": "GHSA-m6jh-hgc7-xggx",
"modified": "2026-04-22T21:31:48Z",
"published": "2026-04-16T06:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22617"
},
{
"type": "WEB",
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M748-HJQG-RPP8
Vulnerability from github – Published: 2022-09-22 00:00 – Updated: 2024-10-25 21:27In rdiffweb prior to version 2.4.6, the cookie session_id does not have a secure attribute when the URL is invalid. Version 2.4.6 contains a fix for the issue.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "rdiffweb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-3250"
],
"database_specific": {
"cwe_ids": [
"CWE-311",
"CWE-614"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-22T22:52:16Z",
"nvd_published_at": "2022-09-21T17:15:00Z",
"severity": "MODERATE"
},
"details": "In rdiffweb prior to version 2.4.6, the `cookie` session_id does not have a secure attribute when the URL is invalid. Version 2.4.6 contains a fix for the issue.",
"id": "GHSA-m748-hjqg-rpp8",
"modified": "2024-10-25T21:27:25Z",
"published": "2022-09-22T00:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3250"
},
{
"type": "WEB",
"url": "https://github.com/ikus060/rdiffweb/commit/ac334dd27ceadac0661b1e2e059a8423433c3fee"
},
{
"type": "PACKAGE",
"url": "https://github.com/ikus060/rdiffweb"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/rdiffweb/PYSEC-2022-287.yaml"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/39889a3f-8bb7-448a-b0d4-a18c671bbd23"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "rdiffweb has insecure HTTP cookies"
}
GHSA-M754-RPQ6-3VF7
Vulnerability from github – Published: 2022-05-07 00:00 – Updated: 2022-05-19 00:00Cookie without HTTPONLY flag set. NUMBER cookie(s) was set without Secure or HTTPOnly flags. The images show the cookie with the missing flag. (WebUI)
{
"affected": [],
"aliases": [
"CVE-2021-27764"
],
"database_specific": {
"cwe_ids": [
"CWE-311",
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-06T18:15:00Z",
"severity": "MODERATE"
},
"details": "Cookie without HTTPONLY flag set. NUMBER cookie(s) was set without Secure or HTTPOnly flags. The images show the cookie with the missing flag. (WebUI)",
"id": "GHSA-m754-rpq6-3vf7",
"modified": "2022-05-19T00:00:28Z",
"published": "2022-05-07T00:00:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27764"
},
{
"type": "WEB",
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097778"
},
{
"type": "WEB",
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097778coo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M825-V286-93RF
Vulnerability from github – Published: 2025-10-10 12:30 – Updated: 2025-10-10 12:30A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.
{
"affected": [],
"aliases": [
"CVE-2025-52632"
],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-10T10:15:34Z",
"severity": "MODERATE"
},
"details": "A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.",
"id": "GHSA-m825-v286-93rf",
"modified": "2025-10-10T12:30:56Z",
"published": "2025-10-10T12:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52632"
},
{
"type": "WEB",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0124444"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MJ67-2MVX-F778
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32In phpipam/phpipam version 1.5.1, the Secure attribute for sensitive cookies in HTTPS sessions is not set. This could cause the user agent to send those cookies in plaintext over an HTTP session, potentially exposing sensitive information. The issue is fixed in version 1.7.0.
{
"affected": [],
"aliases": [
"CVE-2024-10718"
],
"database_specific": {
"cwe_ids": [
"CWE-319",
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-20T10:15:18Z",
"severity": "MODERATE"
},
"details": "In phpipam/phpipam version 1.5.1, the Secure attribute for sensitive cookies in HTTPS sessions is not set. This could cause the user agent to send those cookies in plaintext over an HTTP session, potentially exposing sensitive information. The issue is fixed in version 1.7.0.",
"id": "GHSA-mj67-2mvx-f778",
"modified": "2025-03-20T12:32:40Z",
"published": "2025-03-20T12:32:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10718"
},
{
"type": "WEB",
"url": "https://github.com/phpipam/phpipam/commit/ddf70ef6801442eb8b0be5eea829e470e653c70e"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/725bce8f-328f-4fbc-acf5-46ea920cd3c1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MJW4-XVX6-3GRG
Vulnerability from github – Published: 2022-09-14 00:00 – Updated: 2024-10-25 21:32rdiffweb version 2.4.1 is vulnerable to Sensitive Cookie in HTTPS Session Without 'Secure' Attribute. This makes it so that a user's cookies can be sent to the server with an unencrypted request over the HTTP protocol. Version 2.4.2 contains a fix for the issue.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "rdiffweb"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.1"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.4.1"
]
}
],
"aliases": [
"CVE-2022-3174"
],
"database_specific": {
"cwe_ids": [
"CWE-311",
"CWE-614"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-15T03:22:39Z",
"nvd_published_at": "2022-09-13T10:15:00Z",
"severity": "HIGH"
},
"details": "rdiffweb version 2.4.1 is vulnerable to Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute. This makes it so that a user\u0027s cookies can be sent to the server with an unencrypted request over the HTTP protocol. Version 2.4.2 contains a fix for the issue.",
"id": "GHSA-mjw4-xvx6-3grg",
"modified": "2024-10-25T21:32:37Z",
"published": "2022-09-14T00:00:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3174"
},
{
"type": "WEB",
"url": "https://github.com/ikus060/rdiffweb/commit/f2de2371c5e13ce1c6fd6f9a1ed3e5d46b93cd7e"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-mjw4-xvx6-3grg"
},
{
"type": "PACKAGE",
"url": "https://github.com/ikus060/rdiffweb"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/rdiffweb/PYSEC-2022-271.yaml"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/d8a32bd6-c76d-4140-a5ca-ef368a3058ce"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "rdiffweb vulnerable to Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute"
}
GHSA-P4C4-FF2V-QPH3
Vulnerability from github – Published: 2024-07-10 18:32 – Updated: 2024-07-10 18:32IBM Security QRadar EDR 3.12 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 257702.
{
"affected": [],
"aliases": [
"CVE-2023-33860"
],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-10T16:15:03Z",
"severity": "MODERATE"
},
"details": "IBM Security QRadar EDR 3.12 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 257702.",
"id": "GHSA-p4c4-ff2v-qph3",
"modified": "2024-07-10T18:32:17Z",
"published": "2024-07-10T18:32:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33860"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/257702"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7159770"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P8QP-4C23-F45X
Vulnerability from github – Published: 2026-03-13 21:31 – Updated: 2026-03-13 21:31In JetBrains Datalore before 2026.1 session hijacking was possible due to missing secure attribute for cookie settings
{
"affected": [],
"aliases": [
"CVE-2026-32745"
],
"database_specific": {
"cwe_ids": [
"CWE-319",
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-13T19:55:09Z",
"severity": "MODERATE"
},
"details": "In JetBrains Datalore before 2026.1 session hijacking was possible due to missing secure attribute for cookie settings",
"id": "GHSA-p8qp-4c23-f45x",
"modified": "2026-03-13T21:31:51Z",
"published": "2026-03-13T21:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32745"
},
{
"type": "WEB",
"url": "https://www.jetbrains.com/privacy-security/issues-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PR6J-Q8CQ-RHHR
Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2025-01-14 21:31Synology DiskStation Manager (DSM) before 6.2.3-25426-2 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.
{
"affected": [],
"aliases": [
"CVE-2020-27650"
],
"database_specific": {
"cwe_ids": [
"CWE-311",
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-29T09:15:00Z",
"severity": "MODERATE"
},
"details": "Synology DiskStation Manager (DSM) before 6.2.3-25426-2 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.",
"id": "GHSA-pr6j-q8cq-rhhr",
"modified": "2025-01-14T21:31:41Z",
"published": "2022-05-24T17:32:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27650"
},
{
"type": "WEB",
"url": "https://www.synology.com/security/advisory/Synology_SA_20_18"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PX2M-R37R-WFR2
Vulnerability from github – Published: 2025-01-04 00:33 – Updated: 2025-01-04 00:33IBM PowerHA SystemMirror for i 7.4 and 7.5
does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
{
"affected": [],
"aliases": [
"CVE-2024-55897"
],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-03T23:15:08Z",
"severity": "MODERATE"
},
"details": "IBM PowerHA SystemMirror for i 7.4 and 7.5 \n\ndoes not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.",
"id": "GHSA-px2m-r37r-wfr2",
"modified": "2025-01-04T00:33:41Z",
"published": "2025-01-04T00:33:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55897"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7180036"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Always set the secure attribute when the cookie should be sent via HTTPS only.
CAPEC-102: Session Sidejacking
Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.