CWE-1275
Sensitive Cookie with Improper SameSite Attribute
VariantIncompleteLikelihood: Medium
Description
The SameSite attribute for sensitive cookies is not set, or an insecure value is used.
The SameSite attribute controls how cookies are sent for cross-domain requests. This attribute may have three values: 'Lax', 'Strict', or 'None'. If the 'None' value is used, a website may create a cross-domain POST HTTP request to another website, and the browser automatically adds cookies to this request. This may lead to Cross-Site-Request-Forgery (CSRF) attacks if there are no additional protections in place (such as Anti-CSRF tokens).
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-62
CVEs mapped to this weakness (1)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-52628 | Med | 0.30 | 4.6 | 0.00 | Feb 3, 2026 | HCL AION is affected by a Cookie with Insecure, Improper, or Missing SameSite vulnerability. This can allow cookies to be sent in cross-site requests, potentially increasing exposure to cross-site request forgery and related security risks. This issue affects AION: 2.0. |