Common Weakness Enumeration

CWE-614

Allowed

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Abstraction: Variant · Status: Draft

The Secure attribute for sensitive cookies in HTTPS sessions is not set.

115 vulnerabilities reference this CWE, most recent first.

GHSA-5453-99CG-PJH9

Vulnerability from github – Published: 2025-07-03 12:34 – Updated: 2025-07-03 12:34
VLAI
Details

The Secure attribute is missing on multiple cookies provided by the MEAC300-FNADE4. An attacker can trick a user to establish an unencrypted HTTP connection to the server and intercept the request containing the PHPSESSID cookie.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27450"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-614"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-03T12:15:22Z",
    "severity": "MODERATE"
  },
  "details": "The Secure attribute is missing on multiple cookies provided by the MEAC300-FNADE4. An attacker can trick a user to establish an unencrypted HTTP connection to the server and intercept the request containing the PHPSESSID cookie.",
  "id": "GHSA-5453-99cg-pjh9",
  "modified": "2025-07-03T12:34:58Z",
  "published": "2025-07-03T12:34:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27450"
    },
    {
      "type": "WEB",
      "url": "https://sick.com/psirt"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
    },
    {
      "type": "WEB",
      "url": "https://www.endress.com"
    },
    {
      "type": "WEB",
      "url": "https://www.first.org/cvss/calculator/3.1"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.json"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5FCF-3M52-F3Q5

Vulnerability from github – Published: 2025-10-31 15:30 – Updated: 2025-10-31 15:30
VLAI
Details

IBM Jazz for Service Management 1.1.3.0 through 1.1.3.25 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36249"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-614"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-31T13:15:33Z",
    "severity": "LOW"
  },
  "details": "IBM Jazz for Service Management 1.1.3.0 through 1.1.3.25 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.",
  "id": "GHSA-5fcf-3m52-f3q5",
  "modified": "2025-10-31T15:30:31Z",
  "published": "2025-10-31T15:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36249"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7249820"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5J35-XR4G-VWF4

Vulnerability from github – Published: 2026-03-25 17:32 – Updated: 2026-03-25 17:32
VLAI
Summary
@grackle-ai/server has a Missing Secure Flag on Session Cookie
Details

Impact

The session cookie is set with HttpOnly; SameSite=Lax; Path=/ but does not include the Secure flag. This means the cookie will be sent over plain HTTP connections.

Since the server binds to 127.0.0.1 by default and uses HTTP (not HTTPS), this is acceptable for localhost use. However, when --allow-network is used to bind to 0.0.0.0, cookies could be transmitted over insecure network connections and intercepted by an attacker.

Affected code: - packages/server/src/session.ts:76 — cookie string lacks ; Secure attribute

Patches

0.70.5

Fix: Conditionally add ; Secure when served over HTTPS or when --allow-network is enabled:

const securePart = isHttps ? "; Secure" : "";
return `${SESSION_COOKIE_NAME}=${cookieValue}; HttpOnly; SameSite=Lax; Path=/${securePart}; Max-Age=${maxAge}`;

Workarounds

Do not use --allow-network over untrusted networks without a TLS-terminating reverse proxy.

Resources

  • OWASP: Secure Cookie Attribute
  • File: packages/server/src/session.ts
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.70.4"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@grackle-ai/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.70.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-614"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-25T17:32:39Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Impact\n\nThe session cookie is set with `HttpOnly; SameSite=Lax; Path=/` but does not include the `Secure` flag. This means the cookie will be sent over plain HTTP connections.\n\nSince the server binds to `127.0.0.1` by default and uses HTTP (not HTTPS), this is acceptable for localhost use. However, when `--allow-network` is used to bind to `0.0.0.0`, cookies could be transmitted over insecure network connections and intercepted by an attacker.\n\n**Affected code:**\n- `packages/server/src/session.ts:76` \u2014 cookie string lacks `; Secure` attribute\n\n### Patches\n\n0.70.5\n\n**Fix:** Conditionally add `; Secure` when served over HTTPS or when `--allow-network` is enabled:\n```typescript\nconst securePart = isHttps ? \"; Secure\" : \"\";\nreturn `${SESSION_COOKIE_NAME}=${cookieValue}; HttpOnly; SameSite=Lax; Path=/${securePart}; Max-Age=${maxAge}`;\n```\n\n### Workarounds\n\nDo not use `--allow-network` over untrusted networks without a TLS-terminating reverse proxy.\n\n### Resources\n\n- OWASP: Secure Cookie Attribute\n- File: `packages/server/src/session.ts`",
  "id": "GHSA-5j35-xr4g-vwf4",
  "modified": "2026-03-25T17:32:39Z",
  "published": "2026-03-25T17:32:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nick-pape/grackle/security/advisories/GHSA-5j35-xr4g-vwf4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nick-pape/grackle"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@grackle-ai/server has a Missing Secure Flag on Session Cookie"
}

GHSA-74C8-V93W-3C2C

Vulnerability from github – Published: 2022-06-10 00:00 – Updated: 2022-06-17 00:01
VLAI
Details

Within the Service Desk module of the ITarian platform (SAAS and on-premise), a remote attacker can obtain sensitive information, caused by the failure to set the HTTP Only flag. A remote attacker could exploit this vulnerability to gain access to the management interface by using this vulnerability in combination with a successful Cross-Site Scripting attack on a user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-25151"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-614",
      "CWE-732"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-09T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "Within the Service Desk module of the ITarian platform (SAAS and on-premise), a remote attacker can obtain sensitive information, caused by the failure to set the HTTP Only flag. A remote attacker could exploit this vulnerability to gain access to the management interface by using this vulnerability in combination with a successful Cross-Site Scripting attack on a user.",
  "id": "GHSA-74c8-v93w-3c2c",
  "modified": "2022-06-17T00:01:28Z",
  "published": "2022-06-10T00:00:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25151"
    },
    {
      "type": "WEB",
      "url": "https://csirt.divd.nl/CVE-2022-25151"
    },
    {
      "type": "WEB",
      "url": "https://csirt.divd.nl/DIVD-2021-00037"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-75J3-GFF7-55X3

Vulnerability from github – Published: 2025-01-27 03:30 – Updated: 2025-01-27 03:30
VLAI
Details

IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-28770"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-614"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-27T02:15:28Z",
    "severity": "MODERATE"
  },
  "details": "IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.",
  "id": "GHSA-75j3-gff7-55x3",
  "modified": "2025-01-27T03:30:26Z",
  "published": "2025-01-27T03:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28770"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7161444"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7CVP-JXJH-QVVF

Vulnerability from github – Published: 2026-04-01 21:30 – Updated: 2026-04-01 21:30
VLAI
Details

IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-4820"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-319",
      "CWE-614"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-01T21:17:02Z",
    "severity": "MODERATE"
  },
  "details": "IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.",
  "id": "GHSA-7cvp-jxjh-qvvf",
  "modified": "2026-04-01T21:30:32Z",
  "published": "2026-04-01T21:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4820"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7268028"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7V85-4VQ6-66GQ

Vulnerability from github – Published: 2023-11-02 18:30 – Updated: 2023-11-02 18:30
VLAI
Details

A vulnerability has been identified in PT-G503 Series firmware versions prior to v5.2, where the Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the cookie to be transmitted in plaintext over an HTTP session. The vulnerability may lead to security risks, potentially exposing user session data to unauthorized access and manipulation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5035"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-319",
      "CWE-614"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-02T17:15:11Z",
    "severity": "LOW"
  },
  "details": "A vulnerability has been identified in PT-G503 Series firmware versions prior to v5.2, where the Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the cookie to be transmitted in plaintext over an HTTP session. The vulnerability may lead to security risks, potentially exposing user session data to unauthorized access and manipulation.\n\n",
  "id": "GHSA-7v85-4vq6-66gq",
  "modified": "2023-11-02T18:30:25Z",
  "published": "2023-11-02T18:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5035"
    },
    {
      "type": "WEB",
      "url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-230203-pt-g503-series-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8255-QF34-44MP

Vulnerability from github – Published: 2022-05-13 01:40 – Updated: 2024-04-23 22:56
VLAI
Summary
Sensitive Cookie Without HttpOnly and Secure Flag
Details

Mautic prior to 2.1.1 fails to set flags on session cookies

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "mautic/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-1000046"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-614"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-23T22:56:43Z",
    "nvd_published_at": "2017-07-17T13:18:00Z",
    "severity": "HIGH"
  },
  "details": "Mautic prior to 2.1.1 fails to set flags on session cookies",
  "id": "GHSA-8255-qf34-44mp",
  "modified": "2024-04-23T22:56:43Z",
  "published": "2022-05-13T01:40:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000046"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mautic/mautic/issues/1969"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mautic/mautic/pull/2311"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mautic/mautic/pull/2311/commits/f9e7981f4acf0d37fd935c9b9d5d09d7e1a49bc6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mautic/mautic"
    },
    {
      "type": "WEB",
      "url": "https://www.trustmatta.com/advisories/MATTA-2017-002.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sensitive Cookie Without HttpOnly and Secure Flag"
}

GHSA-8M29-G8HW-C32W

Vulnerability from github – Published: 2024-11-07 09:30 – Updated: 2024-11-07 09:30
VLAI
Details

HCL BigFix Compliance is affected by a missing secure flag on a cookie. If a secure flag is not set, cookies may be stolen by an attacker using XSS, resulting in unauthorized access or session cookies could be transferred over an unencrypted channel.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-30142"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-614"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-07T09:15:03Z",
    "severity": "LOW"
  },
  "details": "HCL BigFix Compliance is affected by a missing secure flag on a cookie.  If a secure flag is not set, cookies may be stolen by an attacker using XSS, resulting in unauthorized access or session cookies could be transferred over an unencrypted channel.",
  "id": "GHSA-8m29-g8hw-c32w",
  "modified": "2024-11-07T09:30:43Z",
  "published": "2024-11-07T09:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30142"
    },
    {
      "type": "WEB",
      "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0117197"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8QCX-87FJ-RCVF

Vulnerability from github – Published: 2024-02-09 03:33 – Updated: 2024-02-09 03:33
VLAI
Details

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.8 and 6.1.0.0 through 6.1.2.3 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 265559.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-42016"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-319",
      "CWE-614"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-09T01:15:08Z",
    "severity": "MODERATE"
  },
  "details": "IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.8 and 6.1.0.0 through 6.1.2.3 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.  IBM X-Force ID:  265559.",
  "id": "GHSA-8qcx-87fj-rcvf",
  "modified": "2024-02-09T03:33:10Z",
  "published": "2024-02-09T03:33:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42016"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/265559"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7116083"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Always set the secure attribute when the cookie should be sent via HTTPS only.

CAPEC-102: Session Sidejacking

Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.