Common Weakness Enumeration

CWE-614

Allowed

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Abstraction: Variant · Status: Draft

The Secure attribute for sensitive cookies in HTTPS sessions is not set.

115 vulnerabilities reference this CWE, most recent first.

GHSA-FW75-5FRQ-VXHG

Vulnerability from github – Published: 2025-07-22 21:31 – Updated: 2025-07-23 15:31
VLAI
Details

Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the Secure attribute. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8037"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-614"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-22T21:15:50Z",
    "severity": "CRITICAL"
  },
  "details": "Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the `Secure` attribute. This vulnerability affects Firefox \u003c 141, Firefox ESR \u003c 140.1, Thunderbird \u003c 141, and Thunderbird \u003c 140.1.",
  "id": "GHSA-fw75-5frq-vxhg",
  "modified": "2025-07-23T15:31:12Z",
  "published": "2025-07-22T21:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8037"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1964767"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2025-56"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2025-59"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2025-61"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2025-63"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GH3J-QG8J-HHVJ

Vulnerability from github – Published: 2022-05-21 00:00 – Updated: 2023-06-23 21:30
VLAI
Details

A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The application, after a successful login, sets the session cookie on the browser via client-side JavaScript code, without applying any security attributes (such as “Secure”, “HttpOnly”, or “SameSite”). Any attempts to browse the application via unencrypted HTTP protocol would lead to the transmission of all his/her session cookies in plaintext through the network. An attacker could then be able to sniff the network and capture sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-24045"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-311",
      "CWE-614"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-20T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in Desigo DXR2 (All versions \u003c V01.21.142.5-22), Desigo PXC3 (All versions \u003c V01.21.142.4-18), Desigo PXC4 (All versions \u003c V02.20.142.10-10884), Desigo PXC5 (All versions \u003c V02.20.142.10-10884). The application, after a successful login, sets the session cookie on the browser via client-side JavaScript code, without applying any security attributes (such as \u201cSecure\u201d, \u201cHttpOnly\u201d, or \u201cSameSite\u201d). Any attempts to browse the application via unencrypted HTTP protocol would lead to the transmission of all his/her session cookies in plaintext through the network. An attacker could then be able to sniff the network and capture sensitive information.",
  "id": "GHSA-gh3j-qg8j-hhvj",
  "modified": "2023-06-23T21:30:27Z",
  "published": "2022-05-21T00:00:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24045"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-626968.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H2V7-3FQQ-7FF5

Vulnerability from github – Published: 2024-03-15 15:30 – Updated: 2024-03-15 15:30
VLAI
Details

IBM Sterling Secure Proxy 6.0.3 and 6.1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 269683.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-46179"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-614"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-15T15:15:07Z",
    "severity": "MODERATE"
  },
  "details": "IBM Sterling Secure Proxy 6.0.3 and 6.1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.  IBM X-Force ID:  269683.",
  "id": "GHSA-h2v7-3fqq-7ff5",
  "modified": "2024-03-15T15:30:44Z",
  "published": "2024-03-15T15:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46179"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/269683"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7142038"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H44J-33HM-F6C4

Vulnerability from github – Published: 2025-10-12 09:30 – Updated: 2025-10-12 09:30
VLAI
Details

HCL Unica Platform is affected by a Cookie without HTTPOnly Flag Set vulnerability. A malicious agent may be able to induce this event by feeding a user suitable links, either directly or via another web site.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-52614"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-614"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-12T08:15:40Z",
    "severity": "LOW"
  },
  "details": "HCL Unica Platform is affected by a Cookie without HTTPOnly Flag Set vulnerability.  A malicious agent may be able to induce this event by feeding a user suitable links, either directly or via another web site.",
  "id": "GHSA-h44j-33hm-f6c4",
  "modified": "2025-10-12T09:30:54Z",
  "published": "2025-10-12T09:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52614"
    },
    {
      "type": "WEB",
      "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0124417"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H4P8-JFFM-9CCH

Vulnerability from github – Published: 2025-01-27 03:30 – Updated: 2025-01-27 03:30
VLAI
Details

IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-28771"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-614"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-27T02:15:28Z",
    "severity": "MODERATE"
  },
  "details": "IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.",
  "id": "GHSA-h4p8-jffm-9cch",
  "modified": "2025-01-27T03:30:26Z",
  "published": "2025-01-27T03:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28771"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7161444"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HHXG-PX5H-JC32

Vulnerability from github – Published: 2022-12-30 12:30 – Updated: 2024-03-01 14:24
VLAI
Summary
Macaron csrf missing encryption and has sensitive cookies in HTTP session without secure attribute
Details

A vulnerability was found in Macaron csrf and classified as problematic. Affected by this issue is some unknown functionality of the file csrf.go. The manipulation of the argument Generate leads to sensitive cookie without secure attribute. The attack may be launched remotely. The name of the patch is dadd1711a617000b70e5e408a76531b73187031c. It is recommended to apply a patch to fix this issue. VDB-217058 is the identifier assigned to this vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/go-macaron/csrf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20180426211050-dadd1711a617"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-25060"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-311",
      "CWE-614"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-09T21:58:58Z",
    "nvd_published_at": "2022-12-30T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability was found in Macaron csrf and classified as problematic. Affected by this issue is some unknown functionality of the file `csrf.go`. The manipulation of the argument Generate leads to sensitive cookie without secure attribute. The attack may be launched remotely. The name of the patch is dadd1711a617000b70e5e408a76531b73187031c. It is recommended to apply a patch to fix this issue. VDB-217058 is the identifier assigned to this vulnerability.",
  "id": "GHSA-hhxg-px5h-jc32",
  "modified": "2024-03-01T14:24:38Z",
  "published": "2022-12-30T12:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25060"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-macaron/csrf/pull/7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-macaron/csrf/commit/dadd1711a617000b70e5e408a76531b73187031c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/go-macaron/csrf"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-1213"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.217058"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.217058"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Macaron csrf missing encryption and has sensitive cookies in HTTP session without secure attribute"
}

GHSA-HP26-Q6WQ-VRFP

Vulnerability from github – Published: 2023-02-09 21:30 – Updated: 2023-02-17 18:30
VLAI
Details

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-21940"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-311",
      "CWE-614",
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-09T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.",
  "id": "GHSA-hp26-q6wq-vrfp",
  "modified": "2023-02-17T18:30:24Z",
  "published": "2023-02-09T21:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21940"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-03"
    },
    {
      "type": "WEB",
      "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HWC3-H295-HHG9

Vulnerability from github – Published: 2024-07-14 15:30 – Updated: 2024-07-14 15:30
VLAI
Details

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 296001.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39734"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-565",
      "CWE-614"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-14T13:15:21Z",
    "severity": "MODERATE"
  },
  "details": "IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.  IBM X-Force ID:  296001.",
  "id": "GHSA-hwc3-h295-hhg9",
  "modified": "2024-07-14T15:30:57Z",
  "published": "2024-07-14T15:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39734"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/296001"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7160185"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J7P4-JQG9-W23J

Vulnerability from github – Published: 2025-09-09 21:30 – Updated: 2025-09-09 21:30
VLAI
Details

IBM Jazz for Service Management 1.1.3.0 through 1.1.3.24 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36011"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-614"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-09T20:15:39Z",
    "severity": "MODERATE"
  },
  "details": "IBM Jazz for Service Management 1.1.3.0 through 1.1.3.24 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.",
  "id": "GHSA-j7p4-jqg9-w23j",
  "modified": "2025-09-09T21:30:29Z",
  "published": "2025-09-09T21:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36011"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7244357"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M3G7-WRRQ-V5C8

Vulnerability from github – Published: 2023-01-05 00:30 – Updated: 2023-01-11 20:55
VLAI
Summary
Pyload contains Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Details

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository pyload/pyload prior to 0.5.0b3.dev32. The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. This issue is patched in version 0.5.0b3.dev32.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pyload-ng"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.0b3.dev32"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-0055"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-319",
      "CWE-614"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-06T23:11:58Z",
    "nvd_published_at": "2023-01-04T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute in GitHub repository pyload/pyload prior to 0.5.0b3.dev32. The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. This issue is patched in version 0.5.0b3.dev32.",
  "id": "GHSA-m3g7-wrrq-v5c8",
  "modified": "2023-01-11T20:55:00Z",
  "published": "2023-01-05T00:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0055"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/commit/7b53b8d43c2c072b457dcd19c8a09bcfc3721703"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pyload/pyload"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/ed88e240-99ff-48a1-bf32-8e1ef5f13cce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pyload contains Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute"
}

Mitigation
Implementation

Always set the secure attribute when the cookie should be sent via HTTPS only.

CAPEC-102: Session Sidejacking

Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.