Common Weakness Enumeration

CWE-614

Allowed

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Abstraction: Variant · Status: Draft

The Secure attribute for sensitive cookies in HTTPS sessions is not set.

115 vulnerabilities reference this CWE, most recent first.

GHSA-M6JH-HGC7-XGGX

Vulnerability from github – Published: 2026-04-16 06:31 – Updated: 2026-04-22 21:31
VLAI
Details

Eaton Intelligent Power Protector (IPP) uses an insecure cookie configuration, which could allow a network‑based attacker to intercept the cookie and exploit it through a man‑in‑the‑middle attack. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-22617"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-614"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-16T06:16:08Z",
    "severity": "MODERATE"
  },
  "details": "Eaton Intelligent Power Protector (IPP) uses an insecure cookie configuration, which could allow a network\u2011based attacker to intercept the cookie and exploit it through a man\u2011in\u2011the\u2011middle attack.\u00a0This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre.",
  "id": "GHSA-m6jh-hgc7-xggx",
  "modified": "2026-04-22T21:31:48Z",
  "published": "2026-04-16T06:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22617"
    },
    {
      "type": "WEB",
      "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M748-HJQG-RPP8

Vulnerability from github – Published: 2022-09-22 00:00 – Updated: 2024-10-25 21:27
VLAI
Summary
rdiffweb has insecure HTTP cookies
Details

In rdiffweb prior to version 2.4.6, the cookie session_id does not have a secure attribute when the URL is invalid. Version 2.4.6 contains a fix for the issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "rdiffweb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-3250"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-311",
      "CWE-614"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-22T22:52:16Z",
    "nvd_published_at": "2022-09-21T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In rdiffweb prior to version 2.4.6, the `cookie` session_id does not have a secure attribute when the URL is invalid. Version 2.4.6 contains a fix for the issue.",
  "id": "GHSA-m748-hjqg-rpp8",
  "modified": "2024-10-25T21:27:25Z",
  "published": "2022-09-22T00:00:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3250"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ikus060/rdiffweb/commit/ac334dd27ceadac0661b1e2e059a8423433c3fee"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ikus060/rdiffweb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/rdiffweb/PYSEC-2022-287.yaml"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/39889a3f-8bb7-448a-b0d4-a18c671bbd23"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "rdiffweb has insecure HTTP cookies"
}

GHSA-M754-RPQ6-3VF7

Vulnerability from github – Published: 2022-05-07 00:00 – Updated: 2022-05-19 00:00
VLAI
Details

Cookie without HTTPONLY flag set. NUMBER cookie(s) was set without Secure or HTTPOnly flags. The images show the cookie with the missing flag. (WebUI)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27764"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-311",
      "CWE-614"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-06T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Cookie without HTTPONLY flag set. NUMBER cookie(s) was set without Secure or HTTPOnly flags. The images show the cookie with the missing flag. (WebUI)",
  "id": "GHSA-m754-rpq6-3vf7",
  "modified": "2022-05-19T00:00:28Z",
  "published": "2022-05-07T00:00:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27764"
    },
    {
      "type": "WEB",
      "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097778"
    },
    {
      "type": "WEB",
      "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097778coo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M825-V286-93RF

Vulnerability from github – Published: 2025-10-10 12:30 – Updated: 2025-10-10 12:30
VLAI
Details

A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-52632"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-614"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-10T10:15:34Z",
    "severity": "MODERATE"
  },
  "details": "A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.",
  "id": "GHSA-m825-v286-93rf",
  "modified": "2025-10-10T12:30:56Z",
  "published": "2025-10-10T12:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52632"
    },
    {
      "type": "WEB",
      "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0124444"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MJ67-2MVX-F778

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32
VLAI
Details

In phpipam/phpipam version 1.5.1, the Secure attribute for sensitive cookies in HTTPS sessions is not set. This could cause the user agent to send those cookies in plaintext over an HTTP session, potentially exposing sensitive information. The issue is fixed in version 1.7.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10718"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-319",
      "CWE-614"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-20T10:15:18Z",
    "severity": "MODERATE"
  },
  "details": "In phpipam/phpipam version 1.5.1, the Secure attribute for sensitive cookies in HTTPS sessions is not set. This could cause the user agent to send those cookies in plaintext over an HTTP session, potentially exposing sensitive information. The issue is fixed in version 1.7.0.",
  "id": "GHSA-mj67-2mvx-f778",
  "modified": "2025-03-20T12:32:40Z",
  "published": "2025-03-20T12:32:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10718"
    },
    {
      "type": "WEB",
      "url": "https://github.com/phpipam/phpipam/commit/ddf70ef6801442eb8b0be5eea829e470e653c70e"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/725bce8f-328f-4fbc-acf5-46ea920cd3c1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MJW4-XVX6-3GRG

Vulnerability from github – Published: 2022-09-14 00:00 – Updated: 2024-10-25 21:32
VLAI
Summary
rdiffweb vulnerable to Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Details

rdiffweb version 2.4.1 is vulnerable to Sensitive Cookie in HTTPS Session Without 'Secure' Attribute. This makes it so that a user's cookies can be sent to the server with an unencrypted request over the HTTP protocol. Version 2.4.2 contains a fix for the issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "rdiffweb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.1"
            },
            {
              "fixed": "2.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.4.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-3174"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-311",
      "CWE-614"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-15T03:22:39Z",
    "nvd_published_at": "2022-09-13T10:15:00Z",
    "severity": "HIGH"
  },
  "details": "rdiffweb version 2.4.1 is vulnerable to Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute. This makes it so that a user\u0027s cookies can be sent to the server with an unencrypted request over the HTTP protocol. Version 2.4.2 contains a fix for the issue.",
  "id": "GHSA-mjw4-xvx6-3grg",
  "modified": "2024-10-25T21:32:37Z",
  "published": "2022-09-14T00:00:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3174"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ikus060/rdiffweb/commit/f2de2371c5e13ce1c6fd6f9a1ed3e5d46b93cd7e"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-mjw4-xvx6-3grg"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ikus060/rdiffweb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/rdiffweb/PYSEC-2022-271.yaml"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/d8a32bd6-c76d-4140-a5ca-ef368a3058ce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "rdiffweb vulnerable to Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute"
}

GHSA-P4C4-FF2V-QPH3

Vulnerability from github – Published: 2024-07-10 18:32 – Updated: 2024-07-10 18:32
VLAI
Details

IBM Security QRadar EDR 3.12 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 257702.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-33860"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-614"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-10T16:15:03Z",
    "severity": "MODERATE"
  },
  "details": "IBM Security QRadar EDR 3.12 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.  IBM X-Force ID:  257702.",
  "id": "GHSA-p4c4-ff2v-qph3",
  "modified": "2024-07-10T18:32:17Z",
  "published": "2024-07-10T18:32:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33860"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/257702"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7159770"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P8QP-4C23-F45X

Vulnerability from github – Published: 2026-03-13 21:31 – Updated: 2026-03-13 21:31
VLAI
Details

In JetBrains Datalore before 2026.1 session hijacking was possible due to missing secure attribute for cookie settings

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-32745"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-319",
      "CWE-614"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-13T19:55:09Z",
    "severity": "MODERATE"
  },
  "details": "In JetBrains Datalore before 2026.1 session hijacking was possible due to missing secure attribute for cookie settings",
  "id": "GHSA-p8qp-4c23-f45x",
  "modified": "2026-03-13T21:31:51Z",
  "published": "2026-03-13T21:31:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32745"
    },
    {
      "type": "WEB",
      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PR6J-Q8CQ-RHHR

Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2025-01-14 21:31
VLAI
Details

Synology DiskStation Manager (DSM) before 6.2.3-25426-2 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-27650"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-311",
      "CWE-614"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-29T09:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Synology DiskStation Manager (DSM) before 6.2.3-25426-2 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.",
  "id": "GHSA-pr6j-q8cq-rhhr",
  "modified": "2025-01-14T21:31:41Z",
  "published": "2022-05-24T17:32:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27650"
    },
    {
      "type": "WEB",
      "url": "https://www.synology.com/security/advisory/Synology_SA_20_18"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PX2M-R37R-WFR2

Vulnerability from github – Published: 2025-01-04 00:33 – Updated: 2025-01-04 00:33
VLAI
Details

IBM PowerHA SystemMirror for i 7.4 and 7.5

does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-55897"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-614"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-03T23:15:08Z",
    "severity": "MODERATE"
  },
  "details": "IBM PowerHA SystemMirror for i 7.4 and 7.5 \n\ndoes not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.",
  "id": "GHSA-px2m-r37r-wfr2",
  "modified": "2025-01-04T00:33:41Z",
  "published": "2025-01-04T00:33:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55897"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7180036"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Always set the secure attribute when the cookie should be sent via HTTPS only.

CAPEC-102: Session Sidejacking

Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.