Total
57 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-29624 | 1 Fastify | 1 Fastify-csrf | 2024-08-03 | 6.5 Medium |
| fastify-csrf is an open-source plugin helps developers protect their Fastify server against CSRF attacks. Versions of fastify-csrf prior to 3.1.0 have a "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Version 3.1.0 of the fastify-csrf fixes it. the vulnerability. The user of the module would need to supply a `userInfo` when generating the CSRF token to fully implement the protection on their end. This is needed only for applications hosted on different subdomains. | ||||
| CVE-2021-3818 | 1 Getgrav | 1 Grav | 2024-08-03 | 5.3 Medium |
| grav is vulnerable to Reliance on Cookies without Validation and Integrity Checking | ||||
| CVE-2022-38297 | 1 Ucms Project | 1 Ucms | 2024-08-03 | 9.8 Critical |
| UCMS v1.6.0 contains an authentication bypass vulnerability which is exploited via cookie poisoning. | ||||
| CVE-2022-36032 | 1 Reactphp | 1 Http | 2024-08-03 | 5.3 Medium |
| ReactPHP HTTP is a streaming HTTP client and server implementation for ReactPHP. In ReactPHP's HTTP server component versions starting with 0.7.0 and prior to 1.7.0, when ReactPHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like `__Host-` and `__Secure-` confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. This issue is fixed in ReactPHP HTTP version 1.7.0. As a workaround, Infrastructure or DevOps can place a reverse proxy in front of the ReactPHP HTTP server to filter out any unexpected `Cookie` request headers. | ||||
| CVE-2022-29912 | 2 Mozilla, Redhat | 6 Firefox, Firefox Esr, Thunderbird and 3 more | 2024-08-03 | 6.1 Medium |
| Requests initiated through reader mode did not properly omit cookies with a SameSite attribute. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100. | ||||
| CVE-2022-29248 | 3 Debian, Drupal, Guzzlephp | 3 Debian Linux, Drupal, Guzzle | 2024-08-03 | 8 High |
| Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware. | ||||
| CVE-2022-29117 | 3 Fedoraproject, Microsoft, Redhat | 7 Fedora, .net, .net Core and 4 more | 2024-08-03 | 7.5 High |
| .NET and Visual Studio Denial of Service Vulnerability | ||||
| CVE-2022-28113 | 1 Fantec | 2 Mwid25-ds, Mwid25-ds Firmware | 2024-08-03 | 7.2 High |
| An issue in upload.csp of FANTEC GmbH MWiD25-DS Firmware v2.000.030 allows attackers to write files and reset the user passwords without having a valid session cookie. | ||||
| CVE-2022-3083 | 1 Landisgyr | 2 E850, E850 Firmware | 2024-08-03 | 3.9 Low |
| All versions of Landis+Gyr E850 (ZMQ200) are vulnerable to CWE-784: Reliance on Cookies Without Validation and Integrity. The device's web application navigation depends on the value of the session cookie. The web application could become inaccessible for the user if an attacker changes the cookie values. | ||||
| CVE-2022-2615 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2024-08-03 | 6.5 Medium |
| Insufficient policy enforcement in Cookies in Google Chrome prior to 104.0.5112.79 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | ||||
| CVE-2022-1148 | 1 Gitlab | 1 Gitlab | 2024-08-02 | 5.3 Medium |
| Improper authorization in GitLab Pages included with GitLab CE/EE affecting all versions from 11.5 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowed an attacker to steal a user's access token on an attacker-controlled private GitLab Pages website and reuse that token on the victim's other private websites | ||||
| CVE-2023-41084 | 1 Socomec | 2 Modulys Gp, Modulys Gp Firmware | 2024-08-02 | 10 Critical |
| Session management within the web application is incorrect and allows attackers to steal session cookies to perform a multitude of actions that the web app allows on the device. | ||||
| CVE-2023-35885 | 1 Mgt-commerce | 1 Cloudpanel | 2024-08-02 | 9.8 Critical |
| CloudPanel 2 before 2.3.1 has insecure file-manager cookie authentication. | ||||
| CVE-2023-32725 | 1 Zabbix | 2 Frontend, Zabbix Server | 2024-08-02 | 9.6 Critical |
| The website configured in the URL widget will receive a session cookie when testing or executing scheduled reports. The received session cookie can then be used to access the frontend as the particular user. | ||||
| CVE-2023-3050 | 1 Tmtmakine | 2 Lockcell, Lockcell Firmware | 2024-08-02 | 9.8 Critical |
| Reliance on Cookies without Validation and Integrity Checking in a Security Decision vulnerability in TMT Lockcell allows Privilege Abuse, Authentication Bypass.This issue affects Lockcell: before 15. | ||||
| CVE-2024-21872 | 2024-08-01 | 7.5 High | ||
| The device allows an unauthenticated attacker to bypass authentication and modify the cookie to reveal hidden pages that allows more critical operations to the transmitter. | ||||
| CVE-2024-0947 | 2024-08-01 | 9.8 Critical | ||
| Reliance on Cookies without Validation and Integrity Checking vulnerability in Talya Informatics Elektraweb allows Session Credential Falsification through Manipulation, Accessing/Intercepting/Modifying HTTP Cookies, Manipulating Opaque Client-based Data Tokens.This issue affects Elektraweb: before v17.0.68. | ||||