CWE-539
Use of Persistent Cookies Containing Sensitive Information
Description
The web application uses persistent cookies, but the cookies contain sensitive information.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-21 · CAPEC-31 · CAPEC-39 · CAPEC-59 · CAPEC-60
CVEs mapped to this weakness (4)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-35192 | Med | 0.35 | 6.5 | 0.01 | May 5, 2026 | An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page. Earlier,… | ||
| CVE-2026-24318 | Med | 0.27 | 4.2 | 0.00 | Apr 14, 2026 | Due to an Insecure session management vulnerability in SAP Business Objects Business Intelligence Platform, an unauthenticated attacker could obtain valid session tokens and reuse them to gain unauthorized access to a victim�s session. If the application continues to accept… | ||
| CVE-2025-52633 | Low | 0.20 | 3.1 | 0.00 | Feb 3, 2026 | HCL AION is affected by a Permanent Cookie Containing Sensitive Session Information vulnerability. It is storing sensitive session data in persistent cookies may increase the risk of unauthorized access if the cookies are intercepted or compromised. This issue affects AION: 2.0. | ||
| CVE-2023-30861 | 0.00 | — | 0.01 | May 2, 2023 | Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send… |
- risk 0.35cvss 6.5epss 0.01
An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page. Earlier,…
- risk 0.27cvss 4.2epss 0.00
Due to an Insecure session management vulnerability in SAP Business Objects Business Intelligence Platform, an unauthenticated attacker could obtain valid session tokens and reuse them to gain unauthorized access to a victim�s session. If the application continues to accept…
- risk 0.20cvss 3.1epss 0.00
HCL AION is affected by a Permanent Cookie Containing Sensitive Session Information vulnerability. It is storing sensitive session data in persistent cookies may increase the risk of unauthorized access if the cookies are intercepted or compromised. This issue affects AION: 2.0.
- CVE-2023-30861May 2, 2023risk 0.00cvss —epss 0.01
Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send…