VYPR

CWE-565

Reliance on Cookies without Validation and Integrity Checking

BaseIncomplete

Description

The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.

Hierarchy (View 1000)

Children

Related attack patterns (CAPEC)

CAPEC-226 · CAPEC-31 · CAPEC-39

CVEs mapped to this weakness (31)

page 2 of 2
  • CVE-2024-21583MedJul 19, 2024
    risk 0.20cvss 4.1epss 0.01

    Versions of the package github.com/gitpod-io/gitpod/components/server/go/pkg/lib before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/components/ws-proxy/pkg/proxy before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/install/installer/p…

  • CVE-2024-28233Mar 27, 2024
    risk 0.00cvss epss 0.00

    JupyterHub is an open source multi-user server for Jupyter notebooks. By tricking a user into visiting a malicious subdomain, the attacker can achieve an XSS directly affecting the former's session. More precisely, in the context of JupyterHub, this XSS could achieve full access…

  • CVE-2022-36032Sep 6, 2022
    risk 0.00cvss epss 0.01

    ReactPHP HTTP is a streaming HTTP client and server implementation for ReactPHP. In ReactPHP's HTTP server component versions starting with 0.7.0 and prior to 1.7.0, when ReactPHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to…

  • CVE-2022-29248May 25, 2022
    risk 0.00cvss epss 0.01

    Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a…

  • CVE-2021-41819Jan 1, 2022
    risk 0.00cvss epss 0.03

    CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.

  • CVE-2021-41263Nov 15, 2021
    risk 0.00cvss epss 0.01

    rails_multisite provides multi-db support for Rails applications. In affected versions this vulnerability impacts any Rails applications using `rails_multisite` alongside Rails' signed/encrypted cookies. Depending on how the application makes use of these cookies, it may be…

  • CVE-2021-3818Sep 27, 2021
    risk 0.00cvss epss 0.02

    grav is vulnerable to Reliance on Cookies without Validation and Integrity Checking

  • CVE-2021-29624May 19, 2021
    risk 0.00cvss epss 0.01

    fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform…

  • CVE-2020-15128Jul 31, 2020
    risk 0.00cvss epss 0.01

    In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core…

  • CVE-2019-17104Oct 8, 2019
    risk 0.00cvss epss 0.02

    In Centreon VM through 19.04.3, the cookie configuration within the Apache HTTP Server does not protect against theft because the HTTPOnly flag is not set.

  • CVE-2011-3887Oct 25, 2011
    risk 0.00cvss epss 0.01

    Google Chrome before 15.0.874.102 does not properly handle javascript: URLs, which allows remote attackers to bypass intended access restrictions and read cookies via unspecified vectors.