Total
47 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-41819 | 6 Debian, Fedoraproject, Opensuse and 3 more | 9 Debian Linux, Fedora, Factory and 6 more | 2025-05-22 | 5.0 MEDIUM | 7.5 HIGH |
| CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby. | |||||
| CVE-2025-31120 | 1 Namelessmc | 1 Nameless | 2025-05-13 | N/A | 5.3 MEDIUM |
| NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, an insecure view count mechanism in the forum page allows an unauthenticated attacker to artificially increase the view count. The application relies on a client-side cookie (nl-topic-[tid]) (or session variable for guests) to determine if a view should be counted. When a client does not provide the cookie, every page request increments the counter, leading to incorrect view metrics. This issue has been patched in version 2.2.0. | |||||
| CVE-2024-39734 | 1 Ibm | 1 Datacap | 2025-03-25 | N/A | 4.3 MEDIUM |
| IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 296001. | |||||
| CVE-2025-2395 | 2025-03-17 | N/A | 9.8 CRITICAL | ||
| The U-Office Force from e-Excellence has an Improper Authentication vulnerability, allowing unauthenticated remote attackers to use a particular API and alter cookies to log in as an administrator. | |||||
| CVE-2023-35885 | 1 Mgt-commerce | 1 Cloudpanel | 2024-12-09 | N/A | 9.8 CRITICAL |
| CloudPanel 2 before 2.3.1 has insecure file-manager cookie authentication. | |||||
| CVE-2024-9820 | 1 Dueclic | 1 Wp 2fa With Telegram | 2024-10-19 | N/A | 7.5 HIGH |
| The WP 2FA with Telegram plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 3.0. This is due to the two-factor code being stored in a cookie, which makes it possible to bypass two-factor authentication. | |||||
| CVE-2023-41084 | 1 Socomec | 2 Modulys Gp, Modulys Gp Firmware | 2024-08-02 | N/A | 9.8 CRITICAL |
| Session management within the web application is incorrect and allows attackers to steal session cookies to perform a multitude of actions that the web app allows on the device. | |||||
| CVE-2024-21872 | 2024-05-28 | N/A | N/A | ||
| The device allows an unauthenticated attacker to bypass authentication and modify the cookie to reveal hidden pages that allows more critical operations to the transmitter. | |||||
| CVE-2024-22186 | 2024-05-28 | N/A | N/A | ||
| The application suffers from a privilege escalation vulnerability. An attacker logged in as guest can escalate his privileges by poisoning the cookie to become administrator. | |||||
| CVE-2008-5784 | 1 V3chat | 1 V3 Chat Profiles Dating Script | 2024-02-08 | 7.5 HIGH | 9.8 CRITICAL |
| V3 Chat - Profiles/Dating Script 3.0.2 allows remote attackers to bypass authentication and gain administrative access by setting the admin cookie to 1. | |||||
| CVE-2023-32725 | 1 Zabbix | 2 Frontend, Zabbix Server | 2023-12-22 | N/A | 8.8 HIGH |
| The website configured in the URL widget will receive a session cookie when testing or executing scheduled reports. The received session cookie can then be used to access the frontend as the particular user. | |||||
| CVE-2021-33842 | 1 Circutor | 2 Sge-plc1000, Sge-plc1000 Firmware | 2023-11-23 | 7.7 HIGH | 8.8 HIGH |
| Improper Authentication vulnerability in the cookie parameter of Circutor SGE-PLC1000 firmware version 0.9.2b allows an attacker to perform operations as an authenticated user. In order to exploit this vulnerability, the attacker must be within the network where the device affected is located. | |||||
| CVE-2022-3083 | 1 Landisgyr | 2 E850, E850 Firmware | 2023-11-07 | N/A | 5.4 MEDIUM |
| All versions of Landis+Gyr E850 (ZMQ200) are vulnerable to CWE-784: Reliance on Cookies Without Validation and Integrity. The device's web application navigation depends on the value of the session cookie. The web application could become inaccessible for the user if an attacker changes the cookie values. | |||||
| CVE-2022-2615 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2023-11-07 | N/A | 6.5 MEDIUM |
| Insufficient policy enforcement in Cookies in Google Chrome prior to 104.0.5112.79 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||||
| CVE-2020-7070 | 7 Canonical, Debian, Fedoraproject and 4 more | 7 Ubuntu Linux, Debian Linux, Fedora and 4 more | 2023-11-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information. | |||||
| CVE-2020-29668 | 3 Debian, Fedoraproject, Sympa | 3 Debian Linux, Fedora, Sympa | 2023-11-07 | 4.3 MEDIUM | 3.7 LOW |
| Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary string (except one from an expired cookie) as the cookie value to authenticateAndRun. | |||||
| CVE-2011-3887 | 2 Apple, Google | 3 Iphone Os, Safari, Chrome | 2023-11-07 | 5.0 MEDIUM | N/A |
| Google Chrome before 15.0.874.102 does not properly handle javascript: URLs, which allows remote attackers to bypass intended access restrictions and read cookies via unspecified vectors. | |||||
| CVE-2023-45128 | 1 Gofiber | 1 Fiber | 2023-10-23 | N/A | 8.8 HIGH |
| Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow an attacker to inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. This issue has been addressed in version 2.50.0 and users are advised to upgrade. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes as defense in depth measures. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-45141 | 1 Gofiber | 1 Fiber | 2023-10-23 | N/A | 8.8 HIGH |
| Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions being taken on the user's behalf, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. This vulnerability has been addressed in version 2.50.0 and users are advised to upgrade. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes. | |||||
| CVE-2022-30620 | 1 Cellinx | 2 Cellinx Nvt - Ip Ptz Camera, Cellinx Nvt - Ip Ptz Camera Firmware | 2023-08-08 | N/A | 8.8 HIGH |
| On Cellinx Camera with guest enabled, attacker with web access can elevate privileges to administrative: "1" to "0" privileges by changing the following cookie values from "is_admin", "showConfig". Administrative Privileges which allows changing various configuration in the camera. | |||||