Total
23 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-47289 | 2025-06-02 | 6.3 Medium | ||
| CE Phoenix is a free, open-source eCommerce platform. A stored cross-site scripting (XSS) vulnerability was discovered in CE Phoenix versions 1.0.9.9 through 1.1.0.2 where an attacker can inject malicious JavaScript into the testimonial description field. Once submitted, if the shop owner (admin) approves the testimonial, the script executes in the context of any user visiting the testimonial page. Because the session cookies are not marked with the `HttpOnly` flag, they can be exfiltrated by the attacker — potentially leading to account takeover. Version 1.1.0.3 fixes the issue. | ||||
| CVE-2025-26844 | 2025-05-12 | 9.8 Critical | ||
| An issue was discovered in Znuny through 7.1.3. A cookie is set without the HttpOnly flag. | ||||
| CVE-2022-25172 | 1 Inhandnetworks | 2 Ir302, Ir302 Firmware | 2025-04-15 | 6.1 Medium |
| An information disclosure vulnerability exists in the web interface session cookie functionality of InHand Networks InRouter302 V3.5.4. The session cookie misses the HttpOnly flag, making it accessible via JavaScript and thus allowing an attacker, able to perform an XSS attack, to steal the session cookie. | ||||
| CVE-2022-4630 | 1 Daloradius | 1 Daloradius | 2025-04-14 | 5.3 Medium |
| Sensitive Cookie Without 'HttpOnly' Flag in GitHub repository lirantal/daloradius prior to master. | ||||
| CVE-2022-21939 | 1 Johnsoncontrols | 1 Metasys System Configuration Tool | 2025-03-24 | 7.5 High |
| Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie. | ||||
| CVE-2025-24318 | 2025-02-28 | 6.8 Medium | ||
| Cookie policy is observable via built-in browser tools. In the presence of XSS, this could lead to full session compromise. | ||||
| CVE-2025-0479 | 2025-01-21 | N/A | ||
| This vulnerability exists in the CP Plus Router due to insecure handling of cookie flags used within its web interface. A remote attacker could exploit this vulnerability by intercepting data transmissions during an HTTP session on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and compromise the targeted system. | ||||
| CVE-2023-2876 | 1 Abb | 6 Rex640 Pcl1, Rex640 Pcl1 Firmware, Rex640 Pcl2 and 3 more | 2025-01-03 | 3.1 Low |
| Sensitive Cookie Without 'HttpOnly' Flag vulnerability in ABB REX640 PCL1 (firmware modules), ABB REX640 PCL2 (Firmware modules), ABB REX640 PCL3 (firmware modules) allows Cross-Site Scripting (XSS).This issue affects REX640 PCL1: from 1.0;0 before 1.0.8; REX640 PCL2: from 1.0;0 before 1.1.4; REX640 PCL3: from 1.0;0 before 1.2.1. | ||||
| CVE-2024-6739 | 1 Openfind | 2 Mailaudit, Mailgates | 2024-11-21 | 5.3 Medium |
| The session cookie in MailGates and MailAudit from Openfind does not have the HttpOnly flag enabled, allowing remote attackers to potentially steal the session cookie via XSS. | ||||
| CVE-2024-41685 | 1 Syrotech | 2 Sy-gpon-1110-wdont, Sy-gpon-1110-wdont Firmware | 2024-11-21 | 7.5 High |
| This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing HTTPOnly flag for the session cookies associated with the router's web management interface. An attacker with remote access could exploit this by intercepting transmission within an HTTP session on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to capture cookies and obtain sensitive information on the targeted system. | ||||
| CVE-2023-4228 | 1 Moxa | 2 Iologik E4200, Iologik E4200 Firmware | 2024-11-21 | 3.1 Low |
| A vulnerability has been identified in ioLogik 4000 Series (ioLogik E4200) firmware versions v1.6 and prior, where the session cookies attribute is not set properly in the affected application. The vulnerability may lead to security risks, potentially exposing user session data to unauthorized access and manipulation. | ||||
| CVE-2023-4217 | 1 Moxa | 2 Eds-g503, Eds-g503 Firmware | 2024-11-21 | 3.1 Low |
| A vulnerability has been identified in PT-G503 Series versions prior to v5.2, where the session cookies attribute is not set properly in the affected application. The vulnerability may lead to security risks, potentially exposing user session data to unauthorized access and manipulation. | ||||
| CVE-2022-33167 | 1 Ibm | 2 Security Directory Integrator, Security Verify Directory Integrator | 2024-11-21 | 3.7 Low |
| IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 228587. | ||||
| CVE-2021-42115 | 1 Businessdnasolutions | 1 Topease | 2024-11-21 | 8.1 High |
| Missing HTTPOnly flag in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an unauthenticated remote attacker to escalate privileges from unauthenticated to authenticated user via stealing and injecting the session- independent and static cookie UID. | ||||
| CVE-2021-3706 | 1 Pi-hole | 1 Web Interface | 2024-11-21 | 7.5 High |
| adminlte is vulnerable to Sensitive Cookie Without 'HttpOnly' Flag | ||||
| CVE-2021-39210 | 1 Glpi-project | 1 Glpi | 2024-11-21 | 6.5 Medium |
| GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, the cookie used to store the autologin cookie (when a user uses the "remember me" feature) is accessible by scripts. A malicious plugin that could steal this cookie would be able to use it to autologin. This issue is fixed in version 9.5.6. As a workaround, one may avoid using the "remember me" feature. | ||||
| CVE-2021-34563 | 1 Pepperl-fuchs | 4 Wha-gw-f2d2-0-as-z2-eth, Wha-gw-f2d2-0-as-z2-eth.eip, Wha-gw-f2d2-0-as-z2-eth.eip Firmware and 1 more | 2024-11-21 | 3.3 Low |
| In PEPPERL+FUCHS WirelessHART-Gateway 3.0.8 and 3.0.9 the HttpOnly attribute is not set on a cookie. This allows the cookie's value to be read or set by client-side JavaScript. | ||||
| CVE-2020-6267 | 1 Sap | 1 Disclosure Management | 2024-11-21 | 5.4 Medium |
| Some sensitive cookies in SAP Disclosure Management, version 10.1, are missing HttpOnly flag, leading to sensitive cookie without Http Only flag. | ||||
| CVE-2020-27658 | 1 Synology | 1 Router Manager | 2024-11-21 | 7.1 High |
| Synology Router Manager (SRM) before 1.2.4-8081 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. | ||||
| CVE-2019-8283 | 1 Gemalto | 1 Sentinel Ldk | 2024-11-21 | 6.5 Medium |
| Hasplm cookie in Gemalto Admin Control Center, all versions prior to 7.92, does not have 'HttpOnly' flag. This allows malicious javascript to steal it. | ||||