CWE-614
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Description
The Secure attribute for sensitive cookies in HTTPS sessions is not set.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-102
CVEs mapped to this weakness (28)
page 1 of 2| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-8037 | Cri | 0.59 | 9.1 | 0.00 | Jul 22, 2025 | Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the `Secure` attribute. This vulnerability was fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and… | ||
| CVE-2025-53757 | Hig | 0.57 | — | 0.00 | Jul 16, 2025 | This vulnerability exists in Digisol DG-GR6821AC Router due to misconfiguration of both Secure and HttpOnly flags on session cookies associated with the router web interface. A remote attacker could exploit this vulnerability by capturing the session cookies transmitted over an… | ||
| CVE-2025-0479 | Hig | 0.56 | — | 0.00 | Jan 20, 2025 | This vulnerability exists in the CP Plus Router due to insecure handling of cookie flags used within its web interface. A remote attacker could exploit this vulnerability by intercepting data transmissions during an HTTP session on the vulnerable system. Successful… | ||
| CVE-2026-53661 | Hig | 0.50 | — | 0.00 | Jun 11, 2026 | Boruta is a standalone authorization server that aims to implement OAuth 2.0 and Openid Connect up to decentralized identity specifications. Prior to version 0.9.1, boruta session cookies and the identity “remember me” cookie were set without the Secure attribute. In… | ||
| CVE-2026-46398 | Hig | 0.50 | — | 0.00 | Jun 5, 2026 | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 25.0.0 and prior to version 26.0.0, the haxcms_refresh_token cookie is set without the Secure flag. This allows it to be transmitted over unencrypted HTTP, making it vulnerable to theft via… | ||
| CVE-2024-2493 | Hig | 0.49 | 7.5 | 0.00 | Apr 23, 2024 | Session Hijacking vulnerability in Hitachi Ops Center Analyzer.This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.1-00. | ||
| CVE-2017-1000046 | Hig | 0.49 | 7.5 | 0.01 | Jul 17, 2017 | Mautic 2.6.1 and earlier fails to set flags on session cookies | ||
| CVE-2025-24390 | Med | 0.44 | 6.8 | 0.00 | Jan 27, 2025 | A vulnerability in OTRS Application Server and reverse proxy settings allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X | ||
| CVE-2026-43828 | Med | 0.42 | 6.5 | 0.00 | May 25, 2026 | Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the… | ||
| CVE-2025-52632 | Med | 0.42 | 6.5 | 0.00 | Oct 10, 2025 | A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0. | ||
| CVE-2026-32745 | Med | 0.41 | 6.3 | 0.00 | Mar 13, 2026 | In JetBrains Datalore before 2026.1 session hijacking was possible due to missing secure attribute for cookie settings | ||
| CVE-2026-22617 | Med | 0.37 | 5.7 | 0.00 | Apr 16, 2026 | Eaton Intelligent Power Protector (IPP) uses an insecure cookie configuration, which could allow a network‑based attacker to intercept the cookie and exploit it through a man‑in‑the‑middle attack. This security issue has been fixed in the latest version of Eaton IPP… | ||
| CVE-2026-41017 | Med | 0.31 | 5.9 | 0.00 | Jun 1, 2026 | Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy (e.g. nginx / Envoy / a managed load balancer that terminates TLS and forwards plaintext to the API… | ||
| CVE-2026-4820 | Med | 0.28 | 4.3 | 0.00 | Apr 1, 2026 | IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie… | ||
| CVE-2026-11956 | Low | 0.24 | 3.7 | 0.00 | Jun 11, 2026 | A vulnerability was determined in TwiN gatus 5.36.0. Impacted is the function setSessionCookie of the file security/oidc.go of the component OIDC Session Cookie Handler. Executing a manipulation can lead to sensitive cookie without secure attribute. The attack can be launched… | ||
| CVE-2025-52608 | Low | 0.20 | 3.1 | 0.00 | Jun 4, 2026 | HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root. | ||
| CVE-2026-48058 | 0.00 | — | 0.00 | Jun 10, 2026 | `internal/web/session.go` and `internal/web/oidc.go` set `HttpOnly` and `SameSite=Lax` on every cookie but never `Secure`. A single plaintext request to the origin (operator on a LAN, mistyped URL, HTTP→HTTPS not strictly enforced, reverse proxy misconfiguration) discloses the… | |||
| CVE-2026-46550 | 0.00 | — | 0.00 | May 21, 2026 | ### Summary The refresh-token cookie was set with `httpOnly: true` but missing both the `secure` flag and the `sameSite` attribute. Over plain HTTP the cookie could be intercepted on the network; without `sameSite`, browsers attached it to cross-site POSTs, enabling CSRF… | |||
| CVE-2024-47833 | 0.00 | — | 0.00 | Oct 9, 2024 | Taipy is an open-source Python library for easy, end-to-end application development for data scientists and machine learning engineers. In affected versions session cookies are served without Secure and HTTPOnly flags. This issue has been addressed in release version 4.0.0 and… | |||
| CVE-2023-5866 | — | 0.00 | — | 0.00 | Oct 31, 2023 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.2.1. |
- risk 0.59cvss 9.1epss 0.00
Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the `Secure` attribute. This vulnerability was fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and…
- risk 0.57cvss —epss 0.00
This vulnerability exists in Digisol DG-GR6821AC Router due to misconfiguration of both Secure and HttpOnly flags on session cookies associated with the router web interface. A remote attacker could exploit this vulnerability by capturing the session cookies transmitted over an…
- risk 0.56cvss —epss 0.00
This vulnerability exists in the CP Plus Router due to insecure handling of cookie flags used within its web interface. A remote attacker could exploit this vulnerability by intercepting data transmissions during an HTTP session on the vulnerable system. Successful…
- risk 0.50cvss —epss 0.00
Boruta is a standalone authorization server that aims to implement OAuth 2.0 and Openid Connect up to decentralized identity specifications. Prior to version 0.9.1, boruta session cookies and the identity “remember me” cookie were set without the Secure attribute. In…
- risk 0.50cvss —epss 0.00
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 25.0.0 and prior to version 26.0.0, the haxcms_refresh_token cookie is set without the Secure flag. This allows it to be transmitted over unencrypted HTTP, making it vulnerable to theft via…
- risk 0.49cvss 7.5epss 0.00
Session Hijacking vulnerability in Hitachi Ops Center Analyzer.This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.1-00.
- risk 0.49cvss 7.5epss 0.01
Mautic 2.6.1 and earlier fails to set flags on session cookies
- risk 0.44cvss 6.8epss 0.00
A vulnerability in OTRS Application Server and reverse proxy settings allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X
- risk 0.42cvss 6.5epss 0.00
Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the…
- risk 0.42cvss 6.5epss 0.00
A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.
- risk 0.41cvss 6.3epss 0.00
In JetBrains Datalore before 2026.1 session hijacking was possible due to missing secure attribute for cookie settings
- risk 0.37cvss 5.7epss 0.00
Eaton Intelligent Power Protector (IPP) uses an insecure cookie configuration, which could allow a network‑based attacker to intercept the cookie and exploit it through a man‑in‑the‑middle attack. This security issue has been fixed in the latest version of Eaton IPP…
- risk 0.31cvss 5.9epss 0.00
Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy (e.g. nginx / Envoy / a managed load balancer that terminates TLS and forwards plaintext to the API…
- risk 0.28cvss 4.3epss 0.00
IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie…
- risk 0.24cvss 3.7epss 0.00
A vulnerability was determined in TwiN gatus 5.36.0. Impacted is the function setSessionCookie of the file security/oidc.go of the component OIDC Session Cookie Handler. Executing a manipulation can lead to sensitive cookie without secure attribute. The attack can be launched…
- risk 0.20cvss 3.1epss 0.00
HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root.
- CVE-2026-48058Jun 10, 2026risk 0.00cvss —epss 0.00
`internal/web/session.go` and `internal/web/oidc.go` set `HttpOnly` and `SameSite=Lax` on every cookie but never `Secure`. A single plaintext request to the origin (operator on a LAN, mistyped URL, HTTP→HTTPS not strictly enforced, reverse proxy misconfiguration) discloses the…
- CVE-2026-46550May 21, 2026risk 0.00cvss —epss 0.00
### Summary The refresh-token cookie was set with `httpOnly: true` but missing both the `secure` flag and the `sameSite` attribute. Over plain HTTP the cookie could be intercepted on the network; without `sameSite`, browsers attached it to cross-site POSTs, enabling CSRF…
- CVE-2024-47833Oct 9, 2024risk 0.00cvss —epss 0.00
Taipy is an open-source Python library for easy, end-to-end application development for data scientists and machine learning engineers. In affected versions session cookies are served without Secure and HTTPOnly flags. This issue has been addressed in release version 4.0.0 and…
- CVE-2023-5866Oct 31, 2023risk 0.00cvss —epss 0.00
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.2.1.