CWE-614
AllowedSensitive Cookie in HTTPS Session Without 'Secure' Attribute
Abstraction: Variant · Status: Draft
The Secure attribute for sensitive cookies in HTTPS sessions is not set.
115 vulnerabilities reference this CWE, most recent first.
GHSA-8R4J-CG5X-MV4Q
Vulnerability from github – Published: 2025-06-28 03:35 – Updated: 2025-06-28 03:35IBM Datacap 9.1.7, 9.1.8, and 9.1.9
does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
{
"affected": [],
"aliases": [
"CVE-2025-36026"
],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-28T01:15:25Z",
"severity": "MODERATE"
},
"details": "IBM Datacap 9.1.7, 9.1.8, and 9.1.9 \n\ndoes not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.",
"id": "GHSA-8r4j-cg5x-mv4q",
"modified": "2025-06-28T03:35:24Z",
"published": "2025-06-28T03:35:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36026"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7238443"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8VM5-MX6J-HVFC
Vulnerability from github – Published: 2024-07-26 12:35 – Updated: 2024-08-06 15:30This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing secure flag for the session cookies associated with the router's web management interface. An attacker with remote access could exploit this by intercepting transmission within an HTTP session on the vulnerable system.
Successful exploitation of this vulnerability could allow the attacker to capture cookies and compromise the targeted system.
{
"affected": [],
"aliases": [
"CVE-2024-41684"
],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-26T12:15:02Z",
"severity": "MODERATE"
},
"details": "This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing secure flag for the session cookies associated with the router\u0027s web management interface. An attacker with remote access could exploit this by intercepting transmission within an HTTP session on the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to capture cookies and compromise the targeted system.",
"id": "GHSA-8vm5-mx6j-hvfc",
"modified": "2024-08-06T15:30:48Z",
"published": "2024-07-26T12:35:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41684"
},
{
"type": "WEB",
"url": "https://cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
},
{
"type": "WEB",
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-94W6-J9M3-VPW3
Vulnerability from github – Published: 2024-09-13 03:31 – Updated: 2024-09-13 03:31IBM Concert 1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
{
"affected": [],
"aliases": [
"CVE-2024-43180"
],
"database_specific": {
"cwe_ids": [
"CWE-319",
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-13T02:15:01Z",
"severity": "MODERATE"
},
"details": "IBM Concert 1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.",
"id": "GHSA-94w6-j9m3-vpw3",
"modified": "2024-09-13T03:31:33Z",
"published": "2024-09-13T03:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43180"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/351213"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7168234"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-95V7-H9J5-GVJR
Vulnerability from github – Published: 2026-06-01 09:31 – Updated: 2026-07-09 20:53Apache Airflow's JWTRefreshMiddleware set the JWT auth cookie without the Secure flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy (e.g. nginx / Envoy / a managed load balancer that terminates TLS and forwards plaintext to the API server, the default cloud-native topology) would have the user's session JWT replayed over any cleartext HTTP request to the same host. A network-positioned attacker (Wi-Fi MITM, hostile LAN, captive-portal proxy) could induce a logged-in user's browser to issue an HTTP request to the deployment's hostname and capture the JWT cookie out of that request, then replay it against the authenticated API. Affects deployments where the Airflow API server is reached through a TLS-terminating proxy and the cookie's secure-by-default protection is load-bearing for session integrity. Users are advised to upgrade to apache-airflow 3.2.2 or later.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-airflow"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41017"
],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-09T20:53:08Z",
"nvd_published_at": "2026-06-01T09:16:18Z",
"severity": "MODERATE"
},
"details": "Apache Airflow\u0027s `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy (e.g. nginx / Envoy / a managed load balancer that terminates TLS and forwards plaintext to the API server, the default cloud-native topology) would have the user\u0027s session JWT replayed over any cleartext HTTP request to the same host. A network-positioned attacker (Wi-Fi MITM, hostile LAN, captive-portal proxy) could induce a logged-in user\u0027s browser to issue an HTTP request to the deployment\u0027s hostname and capture the JWT cookie out of that request, then replay it against the authenticated API. Affects deployments where the Airflow API server is reached through a TLS-terminating proxy and the cookie\u0027s secure-by-default protection is load-bearing for session integrity. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.",
"id": "GHSA-95v7-h9j5-gvjr",
"modified": "2026-07-09T20:53:09Z",
"published": "2026-06-01T09:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41017"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/65348"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2026-171.yaml"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/9jx0sk49c1250zflx0q3clc717qgjdch"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/31/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Airflow has a Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute"
}
GHSA-9Q2Q-RV8X-X676
Vulnerability from github – Published: 2023-08-31 03:30 – Updated: 2023-08-31 03:30Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository instantsoft/icms2 prior to 2.16.1.
{
"affected": [],
"aliases": [
"CVE-2023-4654"
],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-31T01:15:10Z",
"severity": "LOW"
},
"details": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute in GitHub repository instantsoft/icms2 prior to 2.16.1.",
"id": "GHSA-9q2q-rv8x-x676",
"modified": "2023-08-31T03:30:36Z",
"published": "2023-08-31T03:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4654"
},
{
"type": "WEB",
"url": "https://github.com/instantsoft/icms2/commit/ca5f150da11d9caae86638885137afe35bcc3592"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/56432a75-af43-4b1a-9307-bd8de568351b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C6R4-QJMW-CVJ2
Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-06-30 17:27Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute.
This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.
Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.
In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without 'secure' attribute by default.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.shiro:shiro-web"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0-incubating"
},
{
"fixed": "2.2.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.shiro:shiro-web"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0-alpha-1"
},
{
"fixed": "3.0.0-alpha-2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.0.0-alpha-1"
]
}
],
"aliases": [
"CVE-2026-43828"
],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-30T17:27:51Z",
"nvd_published_at": "2026-05-25T21:16:34Z",
"severity": "MODERATE"
},
"details": "Default configurations of Apache Shiro send sensitive cookies in HTTPS session without \u0027Secure\u0027 attribute.\n\nThis issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.\n\nUsers are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.\n\nIn the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without \u0027secure\u0027 attribute by default.",
"id": "GHSA-c6r4-qjmw-cvj2",
"modified": "2026-06-30T17:27:51Z",
"published": "2026-05-26T13:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43828"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/shiro"
},
{
"type": "WEB",
"url": "https://shiro.apache.org/security-reports.html#cve_2026_43828"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/25/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/RE:L/U:Amber",
"type": "CVSS_V4"
}
],
"summary": "Apache Shiro sends sensitive cookies in HTTPS session without \u0027Secure\u0027 attribute"
}
GHSA-F3MC-75Q8-F845
Vulnerability from github – Published: 2025-07-16 12:30 – Updated: 2025-07-16 12:30This vulnerability exists in Digisol DG-GR6821AC Router due to misconfiguration of both Secure and HttpOnly flags on session cookies associated with the router web interface. A remote attacker could exploit this vulnerability by capturing the session cookies transmitted over an unsecure HTTP connection.
Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information from the targeted device.
{
"affected": [],
"aliases": [
"CVE-2025-53757"
],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-16T12:15:30Z",
"severity": "HIGH"
},
"details": "This vulnerability exists in Digisol DG-GR6821AC Router due to misconfiguration of both Secure and HttpOnly flags on session cookies associated with the router web interface. A remote attacker could exploit this vulnerability by capturing the session cookies transmitted over an unsecure HTTP connection. \n\nSuccessful exploitation of this vulnerability could allow the attacker to obtain sensitive information from the targeted device.",
"id": "GHSA-f3mc-75q8-f845",
"modified": "2025-07-16T12:30:27Z",
"published": "2025-07-16T12:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53757"
},
{
"type": "WEB",
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2025-0147"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-F4G5-7FG3-8RW6
Vulnerability from github – Published: 2026-06-29 18:31 – Updated: 2026-06-29 18:31Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt session cookie due to missing HttpOnly and Secure attributes, enabling JavaScript access via document.cookie and cleartext transmission over HTTP. Attackers can exploit stored or reflected cross-site scripting vulnerabilities to exfiltrate the session token or intercept it through network sniffing to perform session hijacking.
{
"affected": [],
"aliases": [
"CVE-2026-57948"
],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-29T18:16:39Z",
"severity": "HIGH"
},
"details": "Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt session cookie due to missing HttpOnly and Secure attributes, enabling JavaScript access via document.cookie and cleartext transmission over HTTP. Attackers can exploit stored or reflected cross-site scripting vulnerabilities to exfiltrate the session token or intercept it through network sniffing to perform session hijacking.",
"id": "GHSA-f4g5-7fg3-8rw6",
"modified": "2026-06-29T18:31:56Z",
"published": "2026-06-29T18:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57948"
},
{
"type": "WEB",
"url": "https://github.com/pinpoint-apm/pinpoint/issues/13858"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/pinpoint-insecure-session-cookie-attributes-in-pinpointjwt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-F74W-272X-MQCV
Vulnerability from github – Published: 2026-05-21 20:35 – Updated: 2026-05-21 20:35Summary
The refresh-token cookie was set with httpOnly: true but missing both the secure flag and the sameSite attribute. Over plain HTTP the cookie could be intercepted on the network; without sameSite, browsers attached it to cross-site POSTs, enabling CSRF against the token-refresh endpoint.
Details
In packages/nocodb/src/services/users/helpers.ts, setTokenCookie produced the cookie with only httpOnly, an expires date, and an optional domain from NC_BASE_HOST_NAME — no secure, no sameSite. The refresh endpoint POST /api/v2/auth/token/refresh (auth.controller.ts) read the cookie unconditionally and returned a new JWT, with no CSRF token.
The fix sets httpOnly: true, sameSite: 'lax', and conditional secure: req.ncSiteUrl.startsWith('https') so the flag is active under HTTPS while still functional on plain-HTTP localhost development.
This is distinct from GHSA-x4vh-j75g-268g (refresh-token lifecycle on password reset) — different root cause, different attack vector.
Impact
- Cookie interception on plain HTTP networks (no
secure). - Cross-site refresh: malicious cross-origin pages could trigger token refresh and, combined with any same-origin XSS or open-redirect on the NocoDB domain, capture the new JWT.
- Refresh tokens have multi-day expiry (
NC_REFRESH_TOKEN_EXP_IN_DAYS), so the exposure window is long.
Credit
This issue was reported by @ik0z.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "nocodb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.301.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46550"
],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-21T20:35:24Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nThe refresh-token cookie was set with `httpOnly: true` but missing both the `secure` flag and the `sameSite` attribute. Over plain HTTP the cookie could be intercepted on the network; without `sameSite`, browsers attached it to cross-site POSTs, enabling CSRF against the token-refresh endpoint.\n\n### Details\n\nIn `packages/nocodb/src/services/users/helpers.ts`, `setTokenCookie` produced the cookie with only `httpOnly`, an `expires` date, and an optional `domain` from `NC_BASE_HOST_NAME` \u2014 no `secure`, no `sameSite`. The refresh endpoint `POST /api/v2/auth/token/refresh` (`auth.controller.ts`) read the cookie unconditionally and returned a new JWT, with no CSRF token.\n\nThe fix sets `httpOnly: true`, `sameSite: \u0027lax\u0027`, and conditional `secure: req.ncSiteUrl.startsWith(\u0027https\u0027)` so the flag is active under HTTPS while still functional on plain-HTTP localhost development.\n\nThis is distinct from GHSA-x4vh-j75g-268g (refresh-token lifecycle on password reset) \u2014 different root cause, different attack vector.\n\n### Impact\n\n- Cookie interception on plain HTTP networks (no `secure`).\n- Cross-site refresh: malicious cross-origin pages could trigger token refresh and, combined with any same-origin XSS or open-redirect on the NocoDB domain, capture the new JWT.\n- Refresh tokens have multi-day expiry (`NC_REFRESH_TOKEN_EXP_IN_DAYS`), so the exposure window is long.\n\n### Credit\n\nThis issue was reported by [@ik0z](https://github.com/ik0z).",
"id": "GHSA-f74w-272x-mqcv",
"modified": "2026-05-21T20:35:24Z",
"published": "2026-05-21T20:35:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-f74w-272x-mqcv"
},
{
"type": "PACKAGE",
"url": "https://github.com/nocodb/nocodb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "NocoDB: Refresh Token Cookie Set Without `secure` and `sameSite` Flags"
}
GHSA-FGH3-6CC5-G9MV
Vulnerability from github – Published: 2023-07-06 03:30 – Updated: 2023-07-06 03:30Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository it-novum/openitcockpit prior to 4.6.6.
{
"affected": [],
"aliases": [
"CVE-2023-3520"
],
"database_specific": {
"cwe_ids": [
"CWE-614"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-06T01:15:08Z",
"severity": "MODERATE"
},
"details": "Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute in GitHub repository it-novum/openitcockpit prior to 4.6.6.",
"id": "GHSA-fgh3-6cc5-g9mv",
"modified": "2023-07-06T03:30:43Z",
"published": "2023-07-06T03:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3520"
},
{
"type": "WEB",
"url": "https://github.com/it-novum/openitcockpit/commit/6c717f3c352e55257fc3fef2c5dec111f7d2ee6b"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/f3b277bb-91db-419e-bcc4-fe0b055d2551"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Always set the secure attribute when the cookie should be sent via HTTPS only.
CAPEC-102: Session Sidejacking
Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.