Total
57 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-45128 | 1 Gofiber | 1 Fiber | 2024-09-16 | 10 Critical |
| Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow an attacker to inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. This issue has been addressed in version 2.50.0 and users are advised to upgrade. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes as defense in depth measures. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-28233 | 2024-08-15 | 8.1 High | ||
| JupyterHub is an open source multi-user server for Jupyter notebooks. By tricking a user into visiting a malicious subdomain, the attacker can achieve an XSS directly affecting the former's session. More precisely, in the context of JupyterHub, this XSS could achieve full access to JupyterHub API and user's single-user server. The affected configurations are single-origin JupyterHub deployments and JupyterHub deployments with user-controlled applications running on subdomains or peer subdomains of either the Hub or a single-user server. This vulnerability is fixed in 4.1.0. | ||||
| CVE-2024-22186 | 2024-08-08 | 8.8 High | ||
| The application suffers from a privilege escalation vulnerability. An attacker logged in as guest can escalate his privileges by poisoning the cookie to become administrator. | ||||
| CVE-2008-5784 | 1 V3chat | 1 V3 Chat Profiles Dating Script | 2024-08-07 | 9.8 Critical |
| V3 Chat - Profiles/Dating Script 3.0.2 allows remote attackers to bypass authentication and gain administrative access by setting the admin cookie to 1. | ||||
| CVE-2011-3887 | 2 Apple, Google | 3 Iphone Os, Safari, Chrome | 2024-08-06 | N/A |
| Google Chrome before 15.0.874.102 does not properly handle javascript: URLs, which allows remote attackers to bypass intended access restrictions and read cookies via unspecified vectors. | ||||
| CVE-2012-5631 | 1 Freeipa | 1 Freeipa | 2024-08-06 | 8.8 High |
| ipa 3.0 does not properly check server identity before sending credential containing cookies | ||||
| CVE-2016-15002 | 1 Ideracorp | 1 Webyog Monyog Ultimate | 2024-08-06 | 7.3 High |
| A vulnerability, which was classified as critical, was found in MONyog Ultimate 6.63. This affects an unknown part of the component Cookie Handler. The manipulation of the argument HasServerEdit/IsAdmin leads to privilege escalation. It is possible to initiate the attack remotely. | ||||
| CVE-2017-8034 | 1 Cloudfoundry | 3 Capi-release, Cf-release, Routing-release | 2024-08-05 | N/A |
| The Cloud Controller and Router in Cloud Foundry (CAPI-release capi versions prior to v1.32.0, Routing-release versions prior to v0.159.0, CF-release versions prior to v267) do not validate the issuer on JSON Web Tokens (JWTs) from UAA. With certain multi-zone UAA configurations, zone administrators are able to escalate their privileges. | ||||
| CVE-2017-7279 | 1 Unitrends | 1 Enterprise Backup | 2024-08-05 | N/A |
| An unprivileged user of the Unitrends Enterprise Backup before 9.0.0 web server can escalate to root privileges by modifying the "token" cookie issued at login. | ||||
| CVE-2017-6896 | 1 Digisol | 2 Dg-hr1400 Router, Dg-hr1400 Router Firmware | 2024-08-05 | N/A |
| Privilege escalation vulnerability on the DIGISOL DG-HR1400 1.00.02 wireless router enables an attacker to escalate from user privilege to admin privilege just by modifying the Base64-encoded session cookie value. | ||||
| CVE-2018-20512 | 1 Cdatatec | 22 Epon Cpe-wifi Devices Firmware, Fd108bn, Fd111hz and 19 more | 2024-08-05 | N/A |
| EPON CPE-WiFi devices 2.0.4-X000 are vulnerable to escalation of privileges by sending cooLogin=1, cooUser=admin, and timestamp=-1 cookies. | ||||
| CVE-2018-5455 | 1 Moxa | 8 Oncell G3110-hspa, Oncell G3110-hspa-t, Oncell G3110-hspa-t Firmware and 5 more | 2024-08-05 | N/A |
| A Reliance on Cookies without Validation and Integrity Checking issue was discovered in Moxa OnCell G3100-HSPA Series version 1.4 Build 16062919 and prior. The application allows a cookie parameter to consist of only digits, allowing an attacker to perform a brute force attack bypassing authentication and gaining access to device functions. | ||||
| CVE-2018-5190 | 1 Picturespro | 1 Picturespro | 2024-08-05 | N/A |
| PicturesPro Photo Cart 6 and 7 before Security-Patch-2018-B allows remote attackers to access arbitrary customer accounts via a modified cookie, related to pc_head.php, pc_login.php, and pc_login_page.php. | ||||
| CVE-2019-17104 | 1 Centreon | 1 Centreon Vm | 2024-08-05 | 7.5 High |
| In Centreon VM through 19.04.3, the cookie configuration within the Apache HTTP Server does not protect against theft because the HTTPOnly flag is not set. | ||||
| CVE-2019-7266 | 1 Nortekcontrol | 4 Linear Emerge 5000p, Linear Emerge 5000p Firmware, Linear Emerge 50p and 1 more | 2024-08-04 | 9.8 Critical |
| Linear eMerge 50P/5000P devices allow Authentication Bypass. | ||||
| CVE-2020-29668 | 3 Debian, Fedoraproject, Sympa | 3 Debian Linux, Fedora, Sympa | 2024-08-04 | 3.7 Low |
| Sympa before 6.2.59b.2 allows remote attackers to obtain full SOAP API access by sending any arbitrary string (except one from an expired cookie) as the cookie value to authenticateAndRun. | ||||
| CVE-2020-26955 | 1 Mozilla | 1 Firefox | 2024-08-04 | 6.5 Medium |
| When a user downloaded a file in Firefox for Android, if a cookie is set, it would have been re-sent during a subsequent file download operation on the same domain, regardless of whether the original and subsequent request were in private and non-private browsing modes. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 83. | ||||
| CVE-2020-15128 | 1 Octobercms | 1 October | 2024-08-04 | 6.1 Medium |
| In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding. Specifically, if your usage exposed a way for users to provide unfiltered user input and have it returned to them as an encrypted cookie (ex. storing a user provided search query in a cookie) they could then use the generated cookie in place of other more tightly controlled cookies; or if your usage exposed the plaintext version of an encrypted cookie at any point to the user they could theoretically provide encrypted content from your application back to it as an encrypted cookie and force the framework to decrypt it for them. Issue has been fixed in build 468 (v1.0.468). | ||||
| CVE-2021-41819 | 6 Debian, Fedoraproject, Opensuse and 3 more | 12 Debian Linux, Fedora, Factory and 9 more | 2024-08-04 | 7.5 High |
| CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby. | ||||
| CVE-2021-41263 | 1 Discourse | 1 Rails Multisite | 2024-08-04 | 8.3 High |
| rails_multisite provides multi-db support for Rails applications. In affected versions this vulnerability impacts any Rails applications using `rails_multisite` alongside Rails' signed/encrypted cookies. Depending on how the application makes use of these cookies, it may be possible for an attacker to re-use cookies on different 'sites' within a multi-site Rails application. The issue has been patched in v4 of the `rails_multisite` gem. Note that this upgrade will invalidate all previous signed/encrypted cookies. The impact of this invalidation will vary based on the application architecture. | ||||