CWE-614
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
VariantDraft
Description
The Secure attribute for sensitive cookies in HTTPS sessions is not set.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-102
CVEs mapped to this weakness (9)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-8037 | Cri | 0.59 | 9.1 | 0.00 | Jul 22, 2025 | Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the `Secure` attribute. This vulnerability was fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and Thunderbird 140.1. | |
| CVE-2025-53757 | Hig | 0.57 | — | 0.00 | Jul 16, 2025 | This vulnerability exists in Digisol DG-GR6821AC Router due to misconfiguration of both Secure and HttpOnly flags on session cookies associated with the router web interface. A remote attacker could exploit this vulnerability by capturing the session cookies transmitted over an unsecure HTTP connection. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information from the targeted device. | |
| CVE-2025-0479 | Hig | 0.56 | — | 0.00 | Jan 20, 2025 | This vulnerability exists in the CP Plus Router due to insecure handling of cookie flags used within its web interface. A remote attacker could exploit this vulnerability by intercepting data transmissions during an HTTP session on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and compromise the targeted system. | |
| CVE-2024-2493 | Hig | 0.49 | 7.5 | 0.00 | Apr 23, 2024 | Session Hijacking vulnerability in Hitachi Ops Center Analyzer.This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.1-00. | |
| CVE-2025-24390 | Med | 0.44 | 6.8 | 0.00 | Jan 27, 2025 | A vulnerability in OTRS Application Server and reverse proxy settings allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X | |
| CVE-2025-52632 | Med | 0.42 | 6.5 | 0.00 | Oct 10, 2025 | A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0. | |
| CVE-2026-32745 | Med | 0.41 | 6.3 | 0.00 | Mar 13, 2026 | In JetBrains Datalore before 2026.1 session hijacking was possible due to missing secure attribute for cookie settings | |
| CVE-2026-22617 | Med | 0.37 | 5.7 | 0.00 | Apr 16, 2026 | Eaton Intelligent Power Protector (IPP) uses an insecure cookie configuration, which could allow a network‑based attacker to intercept the cookie and exploit it through a man‑in‑the‑middle attack. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre. | |
| CVE-2026-4820 | Med | 0.28 | 4.3 | 0.00 | Apr 1, 2026 | IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. |