VYPR

CWE-565

Reliance on Cookies without Validation and Integrity Checking

BaseIncomplete

Description

The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.

Hierarchy (View 1000)

Children

Related attack patterns (CAPEC)

CAPEC-226 · CAPEC-31 · CAPEC-39

CVEs mapped to this weakness (31)

page 1 of 2
  • CVE-2026-0257CriKEVMay 13, 2026
    risk 0.76cvss 9.1epss 0.87

    Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection. Panorama and Cloud NGFW are not impacted by these issues.

  • CVE-2008-5784CriDec 31, 2008
    risk 0.67cvss 9.8epss 0.07

    V3 Chat - Profiles/Dating Script 3.0.2 allows remote attackers to bypass authentication and gain administrative access by setting the admin cookie to 1.

  • CVE-2014-125112CriMar 26, 2026
    risk 0.64cvss 9.8epss 0.01

    Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of…

  • CVE-2022-50926CriJan 13, 2026
    risk 0.64cvss 9.8epss 0.00

    WAGO 750-8212 PFC200 G2 2ETH RS firmware contains a privilege escalation vulnerability that allows attackers to manipulate user session cookies. Attackers can modify the cookie's 'name' and 'roles' parameters to elevate from ordinary user to administrative privileges without…

  • CVE-2024-0947CriJun 27, 2024
    risk 0.64cvss 9.8epss 0.00

    Reliance on Cookies without Validation and Integrity Checking vulnerability in Talya Informatics Elektraweb allows Session Credential Falsification through Manipulation, Accessing/Intercepting/Modifying HTTP Cookies, Manipulating Opaque Client-based Data Tokens. This issue…

  • CVE-2023-3050CriJun 13, 2023
    risk 0.64cvss 9.8epss 0.01

    Reliance on Cookies without Validation and Integrity Checking in a Security Decision vulnerability in TMT Lockcell allows Privilege Abuse, Authentication Bypass.This issue affects Lockcell: before 15.

  • CVE-2018-5190CriApr 17, 2018
    risk 0.64cvss 9.8epss 0.01

    PicturesPro Photo Cart 6 and 7 before Security-Patch-2018-B allows remote attackers to access arbitrary customer accounts via a modified cookie, related to pc_head.php, pc_login.php, and pc_login_page.php.

  • CVE-2018-5455CriMar 5, 2018
    risk 0.64cvss 9.8epss 0.02

    A Reliance on Cookies without Validation and Integrity Checking issue was discovered in Moxa OnCell G3100-HSPA Series version 1.4 Build 16062919 and prior. The application allows a cookie parameter to consist of only digits, allowing an attacker to perform a brute force attack…

  • CVE-2017-7279CriApr 12, 2017
    risk 0.64cvss 9.8epss 0.04

    An unprivileged user of the Unitrends Enterprise Backup before 9.0.0 web server can escalate to root privileges by modifying the "token" cookie issued at login.

  • CVE-2017-6896HigMar 14, 2017
    risk 0.60cvss 8.8epss 0.04

    Privilege escalation vulnerability on the DIGISOL DG-HR1400 1.00.02 wireless router enables an attacker to escalate from user privilege to admin privilege just by modifying the Base64-encoded session cookie value.

  • CVE-2026-39324CriApr 7, 2026
    risk 0.57cvss 9.8epss 0.00

    Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of…

  • CVE-2025-14440CriDec 13, 2025
    risk 0.57cvss 9.8epss 0.01

    The JAY Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.4.01. This is due to incorrect authentication checking in the 'jay_login_register_process_switch_back' function with the…

  • CVE-2021-47706HigDec 9, 2025
    risk 0.57cvss epss 0.00

    COMMAX Biometric Access Control System 1.0.0 contains an authentication bypass vulnerability that allows unauthenticated attackers to access sensitive information and circumvent physical controls in smart homes and buildings by exploiting cookie poisoning. Attackers can forge…

  • CVE-2024-22186HigApr 18, 2024
    risk 0.57cvss 8.8epss 0.01

    The application suffers from a privilege escalation vulnerability. An attacker logged in as guest can escalate his privileges by poisoning the cookie to become administrator.

  • CVE-2026-5130HigMar 30, 2026
    risk 0.50cvss 8.8epss 0.00

    The Debugger & Troubleshooter plugin for WordPress was vulnerable to Unauthenticated Privilege Escalation in versions up to and including 1.3.2. This was due to the plugin accepting the wp_debug_troubleshoot_simulate_user cookie value directly as a user ID without any…

  • CVE-2024-21872HigApr 18, 2024
    risk 0.49cvss 7.5epss 0.01

    The device allows an unauthenticated attacker to bypass authentication and modify the cookie to reveal hidden pages that allows more critical operations to the transmitter.

  • CVE-2026-39963MedApr 15, 2026
    risk 0.45cvss 6.9epss 0.00

    Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the serendipity_setCookie() function in include/functions_config.inc.php uses $_SERVER['HTTP_HOST'] without validation as the domain parameter of setcookie(). An attacker who can influence the Host…

  • CVE-2017-8034MedJul 17, 2017
    risk 0.43cvss 6.6epss 0.01

    The Cloud Controller and Router in Cloud Foundry (CAPI-release capi versions prior to v1.32.0, Routing-release versions prior to v0.159.0, CF-release versions prior to v267) do not validate the issuer on JSON Web Tokens (JWTs) from UAA. With certain multi-zone UAA…

  • CVE-2025-48980MedOct 31, 2025
    risk 0.42cvss 6.5epss 0.00

    In Brave Browser Desktop versions prior to 1.83.10 that have the split view feature enabled, the "Open Link in Split View" context menu item did not respect the SameSite cookie attribute. Therefore SameSite=Strict cookies would be sent on a cross-site navigation using this…

  • CVE-2026-8337MedMay 21, 2026
    risk 0.27cvss 5.3epss 0.00

    Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be configured in such a way that both public and private surveys are present on the site. An unauthenticated attacker can vote in the restricted survey by submitting the…