VYPR

CWE-614

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

VariantDraft

Description

The Secure attribute for sensitive cookies in HTTPS sessions is not set.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-102

CVEs mapped to this weakness (28)

page 1 of 2
  • CVE-2025-8037CriJul 22, 2025
    risk 0.59cvss 9.1epss 0.00

    Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the `Secure` attribute. This vulnerability was fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and…

  • CVE-2025-53757HigJul 16, 2025
    risk 0.57cvss epss 0.00

    This vulnerability exists in Digisol DG-GR6821AC Router due to misconfiguration of both Secure and HttpOnly flags on session cookies associated with the router web interface. A remote attacker could exploit this vulnerability by capturing the session cookies transmitted over an…

  • CVE-2025-0479HigJan 20, 2025
    risk 0.56cvss epss 0.00

    This vulnerability exists in the CP Plus Router due to insecure handling of cookie flags used within its web interface. A remote attacker could exploit this vulnerability by intercepting data transmissions during an HTTP session on the vulnerable system. Successful…

  • CVE-2026-53661HigJun 11, 2026
    risk 0.50cvss epss 0.00

    Boruta is a standalone authorization server that aims to implement OAuth 2.0 and Openid Connect up to decentralized identity specifications. Prior to version 0.9.1, boruta session cookies and the identity “remember me” cookie were set without the Secure attribute. In…

  • CVE-2026-46398HigJun 5, 2026
    risk 0.50cvss epss 0.00

    HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 25.0.0 and prior to version 26.0.0, the haxcms_refresh_token cookie is set without the Secure flag. This allows it to be transmitted over unencrypted HTTP, making it vulnerable to theft via…

  • CVE-2024-2493HigApr 23, 2024
    risk 0.49cvss 7.5epss 0.00

    Session Hijacking vulnerability in Hitachi Ops Center Analyzer.This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.1-00.

  • CVE-2017-1000046HigJul 17, 2017
    risk 0.49cvss 7.5epss 0.01

    Mautic 2.6.1 and earlier fails to set flags on session cookies

  • CVE-2025-24390MedJan 27, 2025
    risk 0.44cvss 6.8epss 0.00

    A vulnerability in OTRS Application Server and reverse proxy settings allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X

  • CVE-2026-43828MedMay 25, 2026
    risk 0.42cvss 6.5epss 0.00

    Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the…

  • CVE-2025-52632MedOct 10, 2025
    risk 0.42cvss 6.5epss 0.00

    A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.

  • CVE-2026-32745MedMar 13, 2026
    risk 0.41cvss 6.3epss 0.00

    In JetBrains Datalore before 2026.1 session hijacking was possible due to missing secure attribute for cookie settings

  • CVE-2026-22617MedApr 16, 2026
    risk 0.37cvss 5.7epss 0.00

    Eaton Intelligent Power Protector (IPP) uses an insecure cookie configuration, which could allow a network‑based attacker to intercept the cookie and exploit it through a man‑in‑the‑middle attack. This security issue has been fixed in the latest version of Eaton IPP…

  • CVE-2026-41017MedJun 1, 2026
    risk 0.31cvss 5.9epss 0.00

    Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy (e.g. nginx / Envoy / a managed load balancer that terminates TLS and forwards plaintext to the API…

  • CVE-2026-4820MedApr 1, 2026
    risk 0.28cvss 4.3epss 0.00

    IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie…

  • CVE-2026-11956LowJun 11, 2026
    risk 0.24cvss 3.7epss 0.00

    A vulnerability was determined in TwiN gatus 5.36.0. Impacted is the function setSessionCookie of the file security/oidc.go of the component OIDC Session Cookie Handler. Executing a manipulation can lead to sensitive cookie without secure attribute. The attack can be launched…

  • CVE-2025-52608LowJun 4, 2026
    risk 0.20cvss 3.1epss 0.00

    HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root.

  • CVE-2026-48058Jun 10, 2026
    risk 0.00cvss epss 0.00

    `internal/web/session.go` and `internal/web/oidc.go` set `HttpOnly` and `SameSite=Lax` on every cookie but never `Secure`. A single plaintext request to the origin (operator on a LAN, mistyped URL, HTTP→HTTPS not strictly enforced, reverse proxy misconfiguration) discloses the…

  • CVE-2026-46550May 21, 2026
    risk 0.00cvss epss 0.00

    ### Summary The refresh-token cookie was set with `httpOnly: true` but missing both the `secure` flag and the `sameSite` attribute. Over plain HTTP the cookie could be intercepted on the network; without `sameSite`, browsers attached it to cross-site POSTs, enabling CSRF…

  • CVE-2024-47833Oct 9, 2024
    risk 0.00cvss epss 0.00

    Taipy is an open-source Python library for easy, end-to-end application development for data scientists and machine learning engineers. In affected versions session cookies are served without Secure and HTTPOnly flags. This issue has been addressed in release version 4.0.0 and…

  • CVE-2023-5866Oct 31, 2023
    risk 0.00cvss epss 0.00

    Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.2.1.