CWE-614
AllowedSensitive Cookie in HTTPS Session Without 'Secure' Attribute
Abstraction: Variant · Status: Draft
The Secure attribute for sensitive cookies in HTTPS sessions is not set.
115 vulnerabilities reference this CWE, most recent first.
CVE-2022-25151 (GCVE-0-2022-25151)
Vulnerability from cvelistv5 – Published: 2022-06-08 00:00 – Updated: 2025-03-11 13:40- CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
| URL | Tags |
|---|---|
| https://csirt.divd.nl/DIVD-2021-00037 | x_refsource_CONFIRMrelated |
| https://csirt.divd.nl/CVE-2022-25151 | x_refsource_CONFIRMthird-party-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| ITarian | ITarian SaaS platform / on-premise |
Affected:
any version , < 6.35.37347.20040
(custom)
|
|
| itarian | on-premise |
Affected:
0 , < 6.35.37347.20040
(custom)
cpe:2.3:a:itarian:on-premise:*:*:*:*:*:*:*:* |
|
| itarian | saas_service_desk |
Affected:
0 , < 6.35.37347.20040
(custom)
cpe:2.3:a:itarian:saas_service_desk:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:itarian:on-premise:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "on-premise",
"vendor": "itarian",
"versions": [
{
"lessThan": "6.35.37347.20040",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:itarian:saas_service_desk:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "saas_service_desk",
"vendor": "itarian",
"versions": [
{
"lessThan": "6.35.37347.20040",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-25151",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T20:17:47.486579Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T20:23:45.437Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:29:01.856Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"related",
"x_transferred"
],
"url": "https://csirt.divd.nl/DIVD-2021-00037"
},
{
"tags": [
"x_refsource_CONFIRM",
"third-party-advisory",
"x_transferred"
],
"url": "https://csirt.divd.nl/CVE-2022-25151"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ITarian SaaS platform / on-premise",
"vendor": "ITarian",
"versions": [
{
"lessThan": "6.35.37347.20040",
"status": "affected",
"version": "any version",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Wietse Boonstra (DIVD)"
},
{
"lang": "en",
"type": "finder",
"value": "Hidde Smit (DIVD)"
},
{
"lang": "en",
"type": "analyst",
"value": "Frank Breedijk (DIVD)"
},
{
"lang": "en",
"type": "analyst",
"value": "Victor Pasman (DIVD)"
},
{
"lang": "en",
"type": "analyst",
"value": "Vicotr Gevers (DIVD)"
}
],
"datePublic": "2022-02-22T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eWithin the Service Desk module of the ITarian platform (SAAS and on-premise), a remote attacker can obtain sensitive information, caused by the failure to set the HTTP Only flag. A remote attacker could exploit this vulnerability to gain access to the management interface by using this vulnerability in combination with a successful Cross-Site Scripting attack on a user.\u003c/p\u003e"
}
],
"value": "Within the Service Desk module of the ITarian platform (SAAS and on-premise), a remote attacker can obtain sensitive information, caused by the failure to set the HTTP Only flag. A remote attacker could exploit this vulnerability to gain access to the management interface by using this vulnerability in combination with a successful Cross-Site Scripting attack on a user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-614",
"description": "CWE-614 Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-11T13:40:40.103Z",
"orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"shortName": "DIVD"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"related"
],
"url": "https://csirt.divd.nl/DIVD-2021-00037"
},
{
"tags": [
"x_refsource_CONFIRM",
"third-party-advisory"
],
"url": "https://csirt.divd.nl/CVE-2022-25151"
}
],
"source": {
"advisory": "DIVD-2021-00037",
"discovery": "INTERNAL"
},
"title": "ITarian - Session cookie not protected by HttpOnly flag",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"assignerShortName": "DIVD",
"cveId": "CVE-2022-25151",
"datePublished": "2022-06-08T00:00:00.000Z",
"dateReserved": "2022-02-14T00:00:00.000Z",
"dateUpdated": "2025-03-11T13:40:40.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24045 (GCVE-0-2022-24045)
Vulnerability from cvelistv5 – Published: 2022-05-10 09:46 – Updated: 2024-08-03 03:59- CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
| URL | Tags |
|---|---|
| https://cert-portal.siemens.com/productcert/pdf/s… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Siemens | Desigo DXR2 |
Affected:
All versions < V01.21.142.5-22
|
|
| Siemens | Desigo PXC3 |
Affected:
All versions < V01.21.142.4-18
|
|
| Siemens | Desigo PXC4 |
Affected:
All versions < V02.20.142.10-10884
|
|
| Siemens | Desigo PXC5 |
Affected:
All versions < V02.20.142.10-10884
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.659Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-626968.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Desigo DXR2",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V01.21.142.5-22"
}
]
},
{
"product": "Desigo PXC3",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V01.21.142.4-18"
}
]
},
{
"product": "Desigo PXC4",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V02.20.142.10-10884"
}
]
},
{
"product": "Desigo PXC5",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V02.20.142.10-10884"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Desigo DXR2 (All versions \u003c V01.21.142.5-22), Desigo PXC3 (All versions \u003c V01.21.142.4-18), Desigo PXC4 (All versions \u003c V02.20.142.10-10884), Desigo PXC5 (All versions \u003c V02.20.142.10-10884). The application, after a successful login, sets the session cookie on the browser via client-side JavaScript code, without applying any security attributes (such as \u201cSecure\u201d, \u201cHttpOnly\u201d, or \u201cSameSite\u201d). Any attempts to browse the application via unencrypted HTTP protocol would lead to the transmission of all his/her session cookies in plaintext through the network. An attacker could then be able to sniff the network and capture sensitive information."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-614",
"description": "CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-14T09:21:35.000Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-626968.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "productcert@siemens.com",
"ID": "CVE-2022-24045",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Desigo DXR2",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V01.21.142.5-22"
}
]
}
},
{
"product_name": "Desigo PXC3",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V01.21.142.4-18"
}
]
}
},
{
"product_name": "Desigo PXC4",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V02.20.142.10-10884"
}
]
}
},
{
"product_name": "Desigo PXC5",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V02.20.142.10-10884"
}
]
}
}
]
},
"vendor_name": "Siemens"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability has been identified in Desigo DXR2 (All versions \u003c V01.21.142.5-22), Desigo PXC3 (All versions \u003c V01.21.142.4-18), Desigo PXC4 (All versions \u003c V02.20.142.10-10884), Desigo PXC5 (All versions \u003c V02.20.142.10-10884). The application, after a successful login, sets the session cookie on the browser via client-side JavaScript code, without applying any security attributes (such as \u201cSecure\u201d, \u201cHttpOnly\u201d, or \u201cSameSite\u201d). Any attempts to browse the application via unencrypted HTTP protocol would lead to the transmission of all his/her session cookies in plaintext through the network. An attacker could then be able to sniff the network and capture sensitive information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-626968.pdf",
"refsource": "MISC",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-626968.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2022-24045",
"datePublished": "2022-05-10T09:46:56.000Z",
"dateReserved": "2022-01-27T00:00:00.000Z",
"dateUpdated": "2024-08-03T03:59:23.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-21940 (GCVE-0-2022-21940)
Vulnerability from cvelistv5 – Published: 2023-02-09 20:54 – Updated: 2025-03-24 18:12- CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
| Vendor | Product | Version | |
|---|---|---|---|
| Johnson Controls | System Configuration Tool (SCT) |
Affected:
14 , < 14.2.3
(custom)
Affected: 15 , < 15.0.3 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:00:53.815Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-03"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-21940",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-24T18:12:06.969930Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T18:12:16.046Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "System Configuration Tool (SCT)",
"vendor": "Johnson Controls",
"versions": [
{
"lessThan": "14.2.3",
"status": "affected",
"version": "14",
"versionType": "custom"
},
{
"lessThan": "15.0.3",
"status": "affected",
"version": "15",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-02-09T18:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie."
}
],
"value": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie."
}
],
"impacts": [
{
"capecId": "CAPEC-212",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-212 Functionality Misuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-614",
"description": "CWE-614: Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-09T20:54:02.226Z",
"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"shortName": "jci"
},
"references": [
{
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-03"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update SCT version 14 with patch 14.2.3"
}
],
"value": "Update SCT version 14 with patch 14.2.3"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update SCT version 15 with patch 15.0.3\u003cbr\u003e"
}
],
"value": "Update SCT version 15 with patch 15.0.3\n"
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Contact your local Johnson Controls office or Authorized Building Control Specialists (ABCS)."
}
],
"value": "Contact your local Johnson Controls office or Authorized Building Control Specialists (ABCS)."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute in System Configuration Tool (SCT)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"assignerShortName": "jci",
"cveId": "CVE-2022-21940",
"datePublished": "2023-02-09T20:54:02.226Z",
"dateReserved": "2021-12-15T20:21:18.771Z",
"dateUpdated": "2025-03-24T18:12:16.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-4683 (GCVE-0-2022-4683)
Vulnerability from cvelistv5 – Published: 2022-12-23 00:00 – Updated: 2025-04-09 18:51- CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
| Vendor | Product | Version | |
|---|---|---|---|
| usememos | usememos/memos |
Affected:
unspecified , < 0.9.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:48:39.937Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/84973f6b-739a-4d7e-8757-fc58cbbaf6ef"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/usememos/memos/commit/7efa749c6628c75b19a912ca170529f5c293bb2e"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-4683",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-09T18:02:08.307835Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-09T18:51:50.945Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "usememos/memos",
"vendor": "usememos",
"versions": [
{
"lessThan": "0.9.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute in GitHub repository usememos/memos prior to 0.9.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-614",
"description": "CWE-614 Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-23T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/84973f6b-739a-4d7e-8757-fc58cbbaf6ef"
},
{
"url": "https://github.com/usememos/memos/commit/7efa749c6628c75b19a912ca170529f5c293bb2e"
}
],
"source": {
"advisory": "84973f6b-739a-4d7e-8757-fc58cbbaf6ef",
"discovery": "EXTERNAL"
},
"title": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute in usememos/memos"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-4683",
"datePublished": "2022-12-23T00:00:00.000Z",
"dateReserved": "2022-12-23T00:00:00.000Z",
"dateUpdated": "2025-04-09T18:51:50.945Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-4409 (GCVE-0-2022-4409)
Vulnerability from cvelistv5 – Published: 2022-12-11 00:00 – Updated: 2025-04-14 17:59- CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
| Vendor | Product | Version | |
|---|---|---|---|
| thorsten | thorsten/phpmyfaq |
Affected:
unspecified , < 3.1.9
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:41:44.443Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/5915ed4c-5fe2-42e7-8fac-5dd0d032727c"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/thorsten/phpmyfaq/commit/8b47f38"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-4409",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T14:43:47.871034Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T17:59:13.236Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "thorsten/phpmyfaq",
"vendor": "thorsten",
"versions": [
{
"lessThan": "3.1.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute in GitHub repository thorsten/phpmyfaq prior to 3.1.9."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-614",
"description": "CWE-614 Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-11T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/5915ed4c-5fe2-42e7-8fac-5dd0d032727c"
},
{
"url": "https://github.com/thorsten/phpmyfaq/commit/8b47f38"
}
],
"source": {
"advisory": "5915ed4c-5fe2-42e7-8fac-5dd0d032727c",
"discovery": "EXTERNAL"
},
"title": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute in thorsten/phpmyfaq"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-4409",
"datePublished": "2022-12-11T00:00:00.000Z",
"dateReserved": "2022-12-11T00:00:00.000Z",
"dateUpdated": "2025-04-14T17:59:13.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3251 (GCVE-0-2022-3251)
Vulnerability from cvelistv5 – Published: 2022-09-21 16:55 – Updated: 2025-05-28 13:44- CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/b9a1b411-060b-4235-942… | x_refsource_CONFIRM |
| https://github.com/ikus060/minarca/commit/7b5c7e6… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| ikus060 | ikus060/minarca |
Affected:
unspecified , < 4.2.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:05.541Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/b9a1b411-060b-4235-9426-e39bd0a1d6d9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ikus060/minarca/commit/7b5c7e6cbd59268d5cd4f1b5f42e721db116f71a"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3251",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-28T13:44:05.201890Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T13:44:19.262Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ikus060/minarca",
"vendor": "ikus060",
"versions": [
{
"lessThan": "4.2.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute in GitHub repository ikus060/minarca prior to 4.2.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-614",
"description": "CWE-614 Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-21T16:55:08.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/b9a1b411-060b-4235-9426-e39bd0a1d6d9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ikus060/minarca/commit/7b5c7e6cbd59268d5cd4f1b5f42e721db116f71a"
}
],
"source": {
"advisory": "b9a1b411-060b-4235-9426-e39bd0a1d6d9",
"discovery": "EXTERNAL"
},
"title": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute in ikus060/minarca",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-3251",
"STATE": "PUBLIC",
"TITLE": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute in ikus060/minarca"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ikus060/minarca",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.2.2"
}
]
}
}
]
},
"vendor_name": "ikus060"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute in GitHub repository ikus060/minarca prior to 4.2.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-614 Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/b9a1b411-060b-4235-9426-e39bd0a1d6d9",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/b9a1b411-060b-4235-9426-e39bd0a1d6d9"
},
{
"name": "https://github.com/ikus060/minarca/commit/7b5c7e6cbd59268d5cd4f1b5f42e721db116f71a",
"refsource": "MISC",
"url": "https://github.com/ikus060/minarca/commit/7b5c7e6cbd59268d5cd4f1b5f42e721db116f71a"
}
]
},
"source": {
"advisory": "b9a1b411-060b-4235-9426-e39bd0a1d6d9",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-3251",
"datePublished": "2022-09-21T16:55:08.000Z",
"dateReserved": "2022-09-20T00:00:00.000Z",
"dateUpdated": "2025-05-28T13:44:19.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3250 (GCVE-0-2022-3250)
Vulnerability from cvelistv5 – Published: 2022-09-21 16:55 – Updated: 2025-05-28 13:43- CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/39889a3f-8bb7-448a-b0d… | x_refsource_CONFIRM |
| https://github.com/ikus060/rdiffweb/commit/ac334d… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| ikus060 | ikus060/rdiffweb |
Affected:
unspecified , < 2.4.6
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:05.912Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/39889a3f-8bb7-448a-b0d4-a18c671bbd23"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ikus060/rdiffweb/commit/ac334dd27ceadac0661b1e2e059a8423433c3fee"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3250",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-28T13:43:20.051648Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T13:43:28.339Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ikus060/rdiffweb",
"vendor": "ikus060",
"versions": [
{
"lessThan": "2.4.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.6."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-614",
"description": "CWE-614 Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-21T16:55:14.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/39889a3f-8bb7-448a-b0d4-a18c671bbd23"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ikus060/rdiffweb/commit/ac334dd27ceadac0661b1e2e059a8423433c3fee"
}
],
"source": {
"advisory": "39889a3f-8bb7-448a-b0d4-a18c671bbd23",
"discovery": "EXTERNAL"
},
"title": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute in ikus060/rdiffweb",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-3250",
"STATE": "PUBLIC",
"TITLE": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute in ikus060/rdiffweb"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ikus060/rdiffweb",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2.4.6"
}
]
}
}
]
},
"vendor_name": "ikus060"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.6."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT",
"availabilityImpact": "LOW",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-614 Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/39889a3f-8bb7-448a-b0d4-a18c671bbd23",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/39889a3f-8bb7-448a-b0d4-a18c671bbd23"
},
{
"name": "https://github.com/ikus060/rdiffweb/commit/ac334dd27ceadac0661b1e2e059a8423433c3fee",
"refsource": "MISC",
"url": "https://github.com/ikus060/rdiffweb/commit/ac334dd27ceadac0661b1e2e059a8423433c3fee"
}
]
},
"source": {
"advisory": "39889a3f-8bb7-448a-b0d4-a18c671bbd23",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-3250",
"datePublished": "2022-09-21T16:55:14.000Z",
"dateReserved": "2022-09-20T00:00:00.000Z",
"dateUpdated": "2025-05-28T13:43:28.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3174 (GCVE-0-2022-3174)
Vulnerability from cvelistv5 – Published: 2022-09-13 09:20 – Updated: 2024-08-03 01:00- CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/d8a32bd6-c76d-4140-a5c… | x_refsource_CONFIRM |
| https://github.com/ikus060/rdiffweb/commit/f2de23… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| ikus060 | ikus060/rdiffweb |
Affected:
unspecified , < 2.4.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.758Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/d8a32bd6-c76d-4140-a5ca-ef368a3058ce"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ikus060/rdiffweb/commit/f2de2371c5e13ce1c6fd6f9a1ed3e5d46b93cd7e"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ikus060/rdiffweb",
"vendor": "ikus060",
"versions": [
{
"lessThan": "2.4.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-614",
"description": "CWE-614 Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-13T09:20:16.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/d8a32bd6-c76d-4140-a5ca-ef368a3058ce"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ikus060/rdiffweb/commit/f2de2371c5e13ce1c6fd6f9a1ed3e5d46b93cd7e"
}
],
"source": {
"advisory": "d8a32bd6-c76d-4140-a5ca-ef368a3058ce",
"discovery": "EXTERNAL"
},
"title": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute in ikus060/rdiffweb",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-3174",
"STATE": "PUBLIC",
"TITLE": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute in ikus060/rdiffweb"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ikus060/rdiffweb",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2.4.2"
}
]
}
}
]
},
"vendor_name": "ikus060"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-614 Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/d8a32bd6-c76d-4140-a5ca-ef368a3058ce",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/d8a32bd6-c76d-4140-a5ca-ef368a3058ce"
},
{
"name": "https://github.com/ikus060/rdiffweb/commit/f2de2371c5e13ce1c6fd6f9a1ed3e5d46b93cd7e",
"refsource": "MISC",
"url": "https://github.com/ikus060/rdiffweb/commit/f2de2371c5e13ce1c6fd6f9a1ed3e5d46b93cd7e"
}
]
},
"source": {
"advisory": "d8a32bd6-c76d-4140-a5ca-ef368a3058ce",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-3174",
"datePublished": "2022-09-13T09:20:16.000Z",
"dateReserved": "2022-09-12T00:00:00.000Z",
"dateUpdated": "2024-08-03T01:00:10.758Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-35236 (GCVE-0-2021-35236)
Vulnerability from cvelistv5 – Published: 2021-10-27 00:57 – Updated: 2024-09-16 21:56- CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
| URL | Tags |
|---|---|
| https://documentation.solarwinds.com/en/success_c… | x_refsource_MISC |
| https://www.solarwinds.com/trust-center/security-… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| SolarWinds | Kiwi Syslog Server |
Affected:
9.7.2 and Previous Versions , < 9.8
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:33:51.218Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://documentation.solarwinds.com/en/success_center/kss/content/release_notes/kss_9-8_release_notes.htm"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35236"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Kiwi Syslog Server",
"vendor": "SolarWinds",
"versions": [
{
"lessThan": "9.8",
"status": "affected",
"version": "9.7.2 and Previous Versions",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-10-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Secure flag is not set in the SSL Cookie of Kiwi Syslog Server 9.7.2 and previous versions. The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP, there is a potential for the cookie can be sent in clear text."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-614",
"description": "CWE-614 Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-27T00:57:02.000Z",
"orgId": "49f11609-934d-4621-84e6-e02e032104d6",
"shortName": "SolarWinds"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://documentation.solarwinds.com/en/success_center/kss/content/release_notes/kss_9-8_release_notes.htm"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35236"
}
],
"solutions": [
{
"lang": "en",
"value": "SolarWinds advises Kiwi Syslog Server customers to upgrade to the latest version (9.8) once it becomes generally available."
}
],
"source": {
"defect": [
"CVE-2021-35236"
],
"discovery": "UNKNOWN"
},
"title": "Missing Secure Flag From SSL Cookie",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@solarwinds.com",
"DATE_PUBLIC": "2021-10-14T14:48:00.000Z",
"ID": "CVE-2021-35236",
"STATE": "PUBLIC",
"TITLE": "Missing Secure Flag From SSL Cookie"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Kiwi Syslog Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "9.7.2 and Previous Versions",
"version_value": "9.8"
}
]
}
}
]
},
"vendor_name": "SolarWinds"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Secure flag is not set in the SSL Cookie of Kiwi Syslog Server 9.7.2 and previous versions. The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP, there is a potential for the cookie can be sent in clear text."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-614 Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://documentation.solarwinds.com/en/success_center/kss/content/release_notes/kss_9-8_release_notes.htm",
"refsource": "MISC",
"url": "https://documentation.solarwinds.com/en/success_center/kss/content/release_notes/kss_9-8_release_notes.htm"
},
{
"name": "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35236",
"refsource": "MISC",
"url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35236"
}
]
},
"solution": [
{
"lang": "en",
"value": "SolarWinds advises Kiwi Syslog Server customers to upgrade to the latest version (9.8) once it becomes generally available."
}
],
"source": {
"defect": [
"CVE-2021-35236"
],
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6",
"assignerShortName": "SolarWinds",
"cveId": "CVE-2021-35236",
"datePublished": "2021-10-27T00:57:02.178Z",
"dateReserved": "2021-06-22T00:00:00.000Z",
"dateUpdated": "2024-09-16T21:56:34.503Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27764 (GCVE-0-2021-27764)
Vulnerability from cvelistv5 – Published: 2022-05-06 18:10 – Updated: 2024-09-16 19:09- CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
| URL | Tags |
|---|---|
| https://support.hcltechsw.com/csm?id=kb_article&s… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| HCL Software | HCL BigFix WebUI |
Affected:
9.0, 10.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.812Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097778"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "HCL BigFix WebUI",
"vendor": "HCL Software",
"versions": [
{
"status": "affected",
"version": "9.0, 10.0"
}
]
}
],
"datePublic": "2022-04-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cookie without HTTPONLY flag set. NUMBER cookie(s) was set without Secure or HTTPOnly flags. The images show the cookie with the missing flag. (WebUI)"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-614",
"description": "CWE-614 Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-09T20:15:11.000Z",
"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"shortName": "HCL"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097778"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HCL BigFix WebUI Cookie missing attributes",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@hcl.com",
"DATE_PUBLIC": "2022-04-07T00:00:00.000Z",
"ID": "CVE-2021-27764",
"STATE": "PUBLIC",
"TITLE": "HCL BigFix WebUI Cookie missing attributes"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "HCL BigFix WebUI",
"version": {
"version_data": [
{
"version_value": "9.0, 10.0"
}
]
}
}
]
},
"vendor_name": "HCL Software"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cookie without HTTPONLY flag set. NUMBER cookie(s) was set without Secure or HTTPOnly flags. The images show the cookie with the missing flag. (WebUI)"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-614 Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097778",
"refsource": "MISC",
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097778"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"assignerShortName": "HCL",
"cveId": "CVE-2021-27764",
"datePublished": "2022-05-06T18:10:35.347Z",
"dateReserved": "2021-02-26T00:00:00.000Z",
"dateUpdated": "2024-09-16T19:09:03.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Always set the secure attribute when the cookie should be sent via HTTPS only.
CAPEC-102: Session Sidejacking
Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.