CWE-614
AllowedSensitive Cookie in HTTPS Session Without 'Secure' Attribute
Abstraction: Variant · Status: Draft
The Secure attribute for sensitive cookies in HTTPS sessions is not set.
115 vulnerabilities reference this CWE, most recent first.
GHSA-FW75-5FRQ-VXHG
Vulnerability from github – Published: 2025-07-22 21:31 – Updated: 2025-07-23 15:31Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the Secure attribute. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1.
{
"affected": [],
"aliases": [
"CVE-2025-8037"
],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-22T21:15:50Z",
"severity": "CRITICAL"
},
"details": "Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the `Secure` attribute. This vulnerability affects Firefox \u003c 141, Firefox ESR \u003c 140.1, Thunderbird \u003c 141, and Thunderbird \u003c 140.1.",
"id": "GHSA-fw75-5frq-vxhg",
"modified": "2025-07-23T15:31:12Z",
"published": "2025-07-22T21:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8037"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1964767"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-56"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-59"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-61"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-63"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GH3J-QG8J-HHVJ
Vulnerability from github – Published: 2022-05-21 00:00 – Updated: 2023-06-23 21:30A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The application, after a successful login, sets the session cookie on the browser via client-side JavaScript code, without applying any security attributes (such as “Secure”, “HttpOnly”, or “SameSite”). Any attempts to browse the application via unencrypted HTTP protocol would lead to the transmission of all his/her session cookies in plaintext through the network. An attacker could then be able to sniff the network and capture sensitive information.
{
"affected": [],
"aliases": [
"CVE-2022-24045"
],
"database_specific": {
"cwe_ids": [
"CWE-311",
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-20T13:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in Desigo DXR2 (All versions \u003c V01.21.142.5-22), Desigo PXC3 (All versions \u003c V01.21.142.4-18), Desigo PXC4 (All versions \u003c V02.20.142.10-10884), Desigo PXC5 (All versions \u003c V02.20.142.10-10884). The application, after a successful login, sets the session cookie on the browser via client-side JavaScript code, without applying any security attributes (such as \u201cSecure\u201d, \u201cHttpOnly\u201d, or \u201cSameSite\u201d). Any attempts to browse the application via unencrypted HTTP protocol would lead to the transmission of all his/her session cookies in plaintext through the network. An attacker could then be able to sniff the network and capture sensitive information.",
"id": "GHSA-gh3j-qg8j-hhvj",
"modified": "2023-06-23T21:30:27Z",
"published": "2022-05-21T00:00:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24045"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-626968.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H2V7-3FQQ-7FF5
Vulnerability from github – Published: 2024-03-15 15:30 – Updated: 2024-03-15 15:30IBM Sterling Secure Proxy 6.0.3 and 6.1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 269683.
{
"affected": [],
"aliases": [
"CVE-2023-46179"
],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-15T15:15:07Z",
"severity": "MODERATE"
},
"details": "IBM Sterling Secure Proxy 6.0.3 and 6.1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 269683.",
"id": "GHSA-h2v7-3fqq-7ff5",
"modified": "2024-03-15T15:30:44Z",
"published": "2024-03-15T15:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46179"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/269683"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7142038"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H44J-33HM-F6C4
Vulnerability from github – Published: 2025-10-12 09:30 – Updated: 2025-10-12 09:30HCL Unica Platform is affected by a Cookie without HTTPOnly Flag Set vulnerability. A malicious agent may be able to induce this event by feeding a user suitable links, either directly or via another web site.
{
"affected": [],
"aliases": [
"CVE-2025-52614"
],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-12T08:15:40Z",
"severity": "LOW"
},
"details": "HCL Unica Platform is affected by a Cookie without HTTPOnly Flag Set vulnerability. A malicious agent may be able to induce this event by feeding a user suitable links, either directly or via another web site.",
"id": "GHSA-h44j-33hm-f6c4",
"modified": "2025-10-12T09:30:54Z",
"published": "2025-10-12T09:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52614"
},
{
"type": "WEB",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0124417"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H4P8-JFFM-9CCH
Vulnerability from github – Published: 2025-01-27 03:30 – Updated: 2025-01-27 03:30IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
{
"affected": [],
"aliases": [
"CVE-2024-28771"
],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-27T02:15:28Z",
"severity": "MODERATE"
},
"details": "IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.",
"id": "GHSA-h4p8-jffm-9cch",
"modified": "2025-01-27T03:30:26Z",
"published": "2025-01-27T03:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28771"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7161444"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HHXG-PX5H-JC32
Vulnerability from github – Published: 2022-12-30 12:30 – Updated: 2024-03-01 14:24A vulnerability was found in Macaron csrf and classified as problematic. Affected by this issue is some unknown functionality of the file csrf.go. The manipulation of the argument Generate leads to sensitive cookie without secure attribute. The attack may be launched remotely. The name of the patch is dadd1711a617000b70e5e408a76531b73187031c. It is recommended to apply a patch to fix this issue. VDB-217058 is the identifier assigned to this vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/go-macaron/csrf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20180426211050-dadd1711a617"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-25060"
],
"database_specific": {
"cwe_ids": [
"CWE-311",
"CWE-614"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-09T21:58:58Z",
"nvd_published_at": "2022-12-30T12:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in Macaron csrf and classified as problematic. Affected by this issue is some unknown functionality of the file `csrf.go`. The manipulation of the argument Generate leads to sensitive cookie without secure attribute. The attack may be launched remotely. The name of the patch is dadd1711a617000b70e5e408a76531b73187031c. It is recommended to apply a patch to fix this issue. VDB-217058 is the identifier assigned to this vulnerability.",
"id": "GHSA-hhxg-px5h-jc32",
"modified": "2024-03-01T14:24:38Z",
"published": "2022-12-30T12:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25060"
},
{
"type": "WEB",
"url": "https://github.com/go-macaron/csrf/pull/7"
},
{
"type": "WEB",
"url": "https://github.com/go-macaron/csrf/commit/dadd1711a617000b70e5e408a76531b73187031c"
},
{
"type": "PACKAGE",
"url": "https://github.com/go-macaron/csrf"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2022-1213"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.217058"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.217058"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Macaron csrf missing encryption and has sensitive cookies in HTTP session without secure attribute"
}
GHSA-HP26-Q6WQ-VRFP
Vulnerability from github – Published: 2023-02-09 21:30 – Updated: 2023-02-17 18:30Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.
{
"affected": [],
"aliases": [
"CVE-2022-21940"
],
"database_specific": {
"cwe_ids": [
"CWE-311",
"CWE-614",
"CWE-79"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-09T21:15:00Z",
"severity": "MODERATE"
},
"details": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.",
"id": "GHSA-hp26-q6wq-vrfp",
"modified": "2023-02-17T18:30:24Z",
"published": "2023-02-09T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21940"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-03"
},
{
"type": "WEB",
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HWC3-H295-HHG9
Vulnerability from github – Published: 2024-07-14 15:30 – Updated: 2024-07-14 15:30IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 296001.
{
"affected": [],
"aliases": [
"CVE-2024-39734"
],
"database_specific": {
"cwe_ids": [
"CWE-565",
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-14T13:15:21Z",
"severity": "MODERATE"
},
"details": "IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 296001.",
"id": "GHSA-hwc3-h295-hhg9",
"modified": "2024-07-14T15:30:57Z",
"published": "2024-07-14T15:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39734"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/296001"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7160185"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J7P4-JQG9-W23J
Vulnerability from github – Published: 2025-09-09 21:30 – Updated: 2025-09-09 21:30IBM Jazz for Service Management 1.1.3.0 through 1.1.3.24 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
{
"affected": [],
"aliases": [
"CVE-2025-36011"
],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-09T20:15:39Z",
"severity": "MODERATE"
},
"details": "IBM Jazz for Service Management 1.1.3.0 through 1.1.3.24 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.",
"id": "GHSA-j7p4-jqg9-w23j",
"modified": "2025-09-09T21:30:29Z",
"published": "2025-09-09T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36011"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7244357"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M3G7-WRRQ-V5C8
Vulnerability from github – Published: 2023-01-05 00:30 – Updated: 2023-01-11 20:55Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository pyload/pyload prior to 0.5.0b3.dev32. The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. This issue is patched in version 0.5.0b3.dev32.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pyload-ng"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.0b3.dev32"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-0055"
],
"database_specific": {
"cwe_ids": [
"CWE-319",
"CWE-614"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-06T23:11:58Z",
"nvd_published_at": "2023-01-04T22:15:00Z",
"severity": "MODERATE"
},
"details": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute in GitHub repository pyload/pyload prior to 0.5.0b3.dev32. The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. This issue is patched in version 0.5.0b3.dev32.",
"id": "GHSA-m3g7-wrrq-v5c8",
"modified": "2023-01-11T20:55:00Z",
"published": "2023-01-05T00:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0055"
},
{
"type": "WEB",
"url": "https://github.com/pyload/pyload/commit/7b53b8d43c2c072b457dcd19c8a09bcfc3721703"
},
{
"type": "PACKAGE",
"url": "https://github.com/pyload/pyload"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/ed88e240-99ff-48a1-bf32-8e1ef5f13cce"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Pyload contains Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute"
}
Mitigation
Always set the secure attribute when the cookie should be sent via HTTPS only.
CAPEC-102: Session Sidejacking
Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.