Common Weakness Enumeration

CWE-614

Allowed

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Abstraction: Variant · Status: Draft

The Secure attribute for sensitive cookies in HTTPS sessions is not set.

115 vulnerabilities reference this CWE, most recent first.

GHSA-VPXM-CR3R-PJP9

Vulnerability from github – Published: 2025-01-30 17:50 – Updated: 2025-01-30 17:50
VLAI
Summary
General OpenMRS Security Advisory, January 2025: Penetration Testing Results and Patches
Details

Impact

We recently underwent Penetration Testing of OpenMRS by a third-party company. Vulnerabilities were found, and fixes have been made and released. We've released security updates that include critical fixes, and so, we strongly recommend upgrading affected modules.

This notice applies to all OpenMRS instances. The testers used the OpenMRS v3 Reference Application (O3 RefApp); however, their findings highlighted modules commonly used in older OpenMRS applications, including the O2 RefApp.

Vulnerability Details

  • The issues uncovered included broken access control (e.g. inappropriate admin access), phishing vulnerability, and stored XSS (e.g. vulnerable passwords).
  • No vulnerabilities were found in the O3 frontend esm modules.
  • The Letter of Attestation from the penetration test is available here for your reference.
  • After the fixes were applied, the OpenMRS O3 RefApp met a Security Level of “Excellent, Grade A”.
  • The full detailed Remediation Pentest Report is available to Implementation Technical Leads upon request.

Patches

Minimum Requirements for Implementers: We strongly recommend upgrading your modules to the following versions (or greater) as soon as possible. This is the minimum amount to do and be protected from the vulnerabilities found and fixed. The following versions contain the patch:

  • Platform 2.6.11+
  • How: Increase your platform version number wherever this is specified in your implementation. If you use the OpenMRS SDK, this will be in the distro.properties file.
  • Notes:
    • The newly released Platform 2.7 also includes the fixes. Release Notes and more download options here.
    • Platform 2.6.8+ has most of the fixes, but these are broken if you don't use SSL, so Platform 2.6.11 or higher is preferred.
    • For those still on Platform 2.5+ such as the Bahmni ecosystem, the new 2.5.14 release includes the patch. Bahmni note: The upcoming patch release for both Bahmni Lite and Bahmni Standard will incorporate these security fixes.
  • Legacy UI OMOD 1.21.0+ (here)
  • ID Gen OMOD 4.14.0+ (here)
  • Address Hierarchy OMOD 2.19.0+ (here)
  • Attachments OMOD 3.6.0+ (here)
  • Patient Flags OMOD 3.0.8+ (here)

Workarounds

There are no practical workarounds to fix or remediate the vulnerabilities without upgrading. Technically, you could remove the affected OMODs, but this would badly degrade the system's functionality.

Thank you to our amazing Security contributors!

Thank you to security firm UnderDefense, and to the OpenMRS Security Group contributors for their patch support - specific thanks to Daniel Kayiwa, Samuel Lubwama, Ian Bacher, Rafal Korytkowski, and Michael Seaton.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.openmrs:openmrs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.openmrs.module:legacyui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.21.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.openmrs.module:idgen"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.openmrs.module:addresshierarchy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.19.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.openmrs.module:attachments"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.openmrs.module:patientflags"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-209",
      "CWE-284",
      "CWE-601",
      "CWE-614"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-30T17:50:52Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\nWe recently underwent Penetration Testing of OpenMRS by a third-party company. **Vulnerabilities were found, and fixes have been made and released.** We\u0027ve released security updates that include critical fixes, and so, we strongly recommend upgrading affected modules.\n\n**This notice applies to _all_ OpenMRS instances.** The testers used the OpenMRS v3 Reference Application (O3 RefApp); however, their findings highlighted modules commonly used in older OpenMRS applications, including the O2 RefApp. \n\n## Vulnerability Details\n- The issues uncovered included broken access control (e.g. inappropriate admin access), phishing vulnerability, and stored XSS (e.g. vulnerable passwords).\n- No vulnerabilities were found in the O3 frontend esm modules. \n- The Letter of Attestation from the penetration test is [available here](https://drive.google.com/file/d/1sBm4-FzLA8hSoM9wYknBfgEttBHyLvoU/view?usp=sharing) for your reference. \n- After the fixes were applied, the OpenMRS O3 RefApp met a Security Level of \u201cExcellent, Grade A\u201d.\n- The full detailed Remediation Pentest Report is available to Implementation Technical Leads upon request.\n\n### Patches\n**Minimum Requirements for Implementers:** We **strongly** recommend upgrading your modules to the following versions (or greater) as soon as possible. **This is the minimum amount to do and be protected from the vulnerabilities found and fixed.** The following versions contain the patch: \n\n- **Platform** 2.6.11+ \n  - How: Increase your platform version number wherever this is specified in your implementation. If you use the OpenMRS SDK, this will be in the distro.properties file.\n  - Notes: \n    - The newly released [**Platform 2.7**](https://sourceforge.net/projects/openmrs/files/releases/OpenMRS_Platform_2.7.0/) also includes the fixes. [Release Notes and more download options here](https://openmrs.atlassian.net/wiki/x/XoBzEQ).\n    - Platform 2.6.8+ has most of the fixes, but these are broken if you don\u0027t use SSL, so Platform 2.6.11 or higher is preferred.\n    - For those still on Platform 2.5+ such as the Bahmni ecosystem, the new [2.5.14](https://ci.openmrs.org/browse/TRUNK-CORE2-232) release includes the patch. _Bahmni note: The upcoming patch release for both Bahmni Lite and Bahmni Standard will incorporate these security fixes._\n- **Legacy UI** OMOD 1.21.0+ ([here](https://addons.openmrs.org/show/org.openmrs.module.legacyui))\n- **ID Gen** OMOD 4.14.0+ ([here](https://addons.openmrs.org/show/org.openmrs.module.idgen))\n- **Address Hierarchy** OMOD 2.19.0+ ([here](https://addons.openmrs.org/show/org.openmrs.module.addresshierarchy))\n- **Attachments** OMOD 3.6.0+ ([here](https://addons.openmrs.org/show/org.openmrs.module.attachments))\n- **Patient Flags** OMOD 3.0.8+ ([here](https://addons.openmrs.org/show/org.openmrs.module.patientflags))\n\n### Workarounds\nThere are no practical workarounds to fix or remediate the vulnerabilities without upgrading. Technically, you could remove the affected OMODs, but this would badly degrade the system\u0027s functionality.\n\n## Thank you to our amazing Security contributors!\nThank you to security firm UnderDefense, and to the OpenMRS Security Group contributors for their patch support - specific thanks to Daniel Kayiwa, Samuel Lubwama, Ian Bacher, Rafal Korytkowski, and Michael Seaton. \n",
  "id": "GHSA-vpxm-cr3r-pjp9",
  "modified": "2025-01-30T17:50:52Z",
  "published": "2025-01-30T17:50:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openmrs/openmrs-core/security/advisories/GHSA-vpxm-cr3r-pjp9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openmrs/openmrs-core"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "General OpenMRS Security Advisory, January 2025: Penetration Testing Results and Patches"
}

GHSA-VVC8-JFGX-2XM5

Vulnerability from github – Published: 2026-06-04 12:30 – Updated: 2026-06-04 12:30
VLAI
Details

HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-52608"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-614"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-04T12:16:23Z",
    "severity": "LOW"
  },
  "details": "HCL  iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root.",
  "id": "GHSA-vvc8-jfgx-2xm5",
  "modified": "2026-06-04T12:30:25Z",
  "published": "2026-06-04T12:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52608"
    },
    {
      "type": "WEB",
      "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131061"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WPGC-5CR5-H9GG

Vulnerability from github – Published: 2022-12-11 15:30 – Updated: 2022-12-13 17:56
VLAI
Summary
phpMyFAQ has insecure HTTP cookies
Details

phpMyFAQ is contains Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in versions prior to 3.1.9.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "thorsten/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-4409"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-311",
      "CWE-319",
      "CWE-614"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-12T22:06:06Z",
    "nvd_published_at": "2022-12-11T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "phpMyFAQ is contains Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute in versions prior to 3.1.9.",
  "id": "GHSA-wpgc-5cr5-h9gg",
  "modified": "2022-12-13T17:56:45Z",
  "published": "2022-12-11T15:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4409"
    },
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/commit/c16cc2bbe2687f75aa1204b804483091fae43cba"
    },
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpmyfaq/commit/8b47f38"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thorsten/phpmyfaq"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/5915ed4c-5fe2-42e7-8fac-5dd0d032727c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "phpMyFAQ has insecure HTTP cookies"
}

GHSA-WWPC-74VX-C2X3

Vulnerability from github – Published: 2025-01-20 12:30 – Updated: 2025-01-20 12:30
VLAI
Details

This vulnerability exists in the CP Plus Router due to insecure handling of cookie flags used within its web interface. A remote attacker could exploit this vulnerability by intercepting data transmissions during an HTTP session on the vulnerable system.

Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and compromise the targeted system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0479"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-614"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-20T12:15:23Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability exists in the CP Plus Router due to insecure handling of cookie flags used within its web interface. A remote attacker could exploit this vulnerability by intercepting data transmissions during an HTTP session on the vulnerable system.\n \nSuccessful exploitation of this vulnerability could allow the attacker to obtain sensitive information and compromise the targeted system.",
  "id": "GHSA-wwpc-74vx-c2x3",
  "modified": "2025-01-20T12:30:51Z",
  "published": "2025-01-20T12:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0479"
    },
    {
      "type": "WEB",
      "url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2025-0005"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-WWQF-6P54-3CFQ

Vulnerability from github – Published: 2026-06-11 15:31 – Updated: 2026-06-11 15:31
VLAI
Details

A vulnerability was determined in TwiN gatus 5.36.0. Impacted is the function setSessionCookie of the file security/oidc.go of the component OIDC Session Cookie Handler. Executing a manipulation can lead to sensitive cookie without secure attribute. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is considered difficult. The reported GitHub issue was closed with the label "not planned".

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11956"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-614"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-11T13:16:32Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was determined in TwiN gatus 5.36.0. Impacted is the function setSessionCookie of the file security/oidc.go of the component OIDC Session Cookie Handler. Executing a manipulation can lead to sensitive cookie without secure attribute. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is considered difficult. The reported GitHub issue was closed with the label \"not planned\".",
  "id": "GHSA-wwqf-6p54-3cfq",
  "modified": "2026-06-11T15:31:32Z",
  "published": "2026-06-11T15:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11956"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TwiN/gatus/issues/1689"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TwiN/gatus"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/cve/CVE-2026-11956"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/836328"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/370343"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/370343/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Implementation

Always set the secure attribute when the cookie should be sent via HTTPS only.

CAPEC-102: Session Sidejacking

Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.