CWE-614— Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
53 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-614page 1 of 2
- CVE-2015-3207MEDIUMCVSS 5.3EG 5.32022-07-07
In Openshift Origin 3 the cookies being set in console have no 'secure', 'HttpOnly' attributes.
- CVE-2018-25060LOWCVSS 3.7EG 3.72022-12-30
A vulnerability was found in Macaron csrf and classified as problematic. Affected by this issue is some unknown functionality of the file csrf.go. The manipulation of the argument Generate leads to sensitive cookie without secure attribute…
- CVE-2020-27650MEDIUMCVSS 5.8EG 3.72020-10-29
Synology DiskStation Manager (DSM) before 6.2.3-25426-2 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an H…
- CVE-2020-27651MEDIUMCVSS 5.8EG 5.82020-10-29
Synology Router Manager (SRM) before 1.2.4-8081 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP sess…
- CVE-2020-29024MEDIUMCVSS 5.3EG 5.32021-02-16
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability in (GTA) GoToAppliance of Secomea GateManager could allow an attacker to gain access to sensitive cookies. This issue affects: Secomea GateManager all versions prio…
- CVE-2021-27764HIGHCVSS 7.4EG 6.52022-05-06
Cookie without HTTPONLY flag set. NUMBER cookie(s) was set without Secure or HTTPOnly flags. The images show the cookie with the missing flag. (WebUI)
- CVE-2021-35236LOWCVSS 3.1EG 5.32021-10-27
The Secure flag is not set in the SSL Cookie of Kiwi Syslog Server 9.7.2 and previous versions. The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help…
- CVE-2021-3882MEDIUMCVSS 6.8EG 6.82021-10-14
LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy. By tricking a user to use an unencrypted connection (HTTP), an attacker may be…
- CVE-2022-21940HIGHCVSS 7.5EG 6.12023-02-09
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.
- CVE-2022-24045MEDIUMCVSS 6.5EG 6.52022-05-20
A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The appl…
- CVE-2022-25151HIGHCVSS 7.5EG 7.52022-06-09
Within the Service Desk module of the ITarian platform (SAAS and on-premise), a remote attacker can obtain sensitive information, caused by the failure to set the HTTP Only flag. A remote attacker could exploit this vulnerability to gain a…
- CVE-2022-3174HIGHCVSS 7.5EG 7.52022-09-13
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.2.
- CVE-2022-3250MEDIUMCVSS 5.3EG 5.32022-09-21
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.6.
- CVE-2022-3251MEDIUMCVSS 5.3EG 5.32022-09-21
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/minarca prior to 4.2.2.
- CVE-2022-4409HIGHCVSS 7.5EG 7.52022-12-11
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.1.9.
- CVE-2022-4683MEDIUMCVSS 6.5EG 6.52022-12-23
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository usememos/memos prior to 0.9.0.
- CVE-2023-0055MEDIUMCVSS 5.3EG 5.32023-01-04
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository pyload/pyload prior to 0.5.0b3.dev32.
- CVE-2023-33860MEDIUMCVSS 5.3EG 5.32024-07-10
IBM Security QRadar EDR 3.12 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes …
- CVE-2023-3520MEDIUMCVSS 4.6EG 4.32023-07-06
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository it-novum/openitcockpit prior to 4.6.6.
- CVE-2023-42016MEDIUMCVSS 4.3EG 4.32024-02-09
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.8 and 6.1.0.0 through 6.1.2.3 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http…
- CVE-2023-46179MEDIUMCVSS 4.3EG 4.32024-03-15
IBM Sterling Secure Proxy 6.0.3 and 6.1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site t…
- CVE-2023-4654LOWCVSS 3.5EG 2.62023-08-31
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository instantsoft/icms2 prior to 2.16.1.
- CVE-2023-5035LOWCVSS 3.1EG 3.12023-11-02
A vulnerability has been identified in PT-G503 Series firmware versions prior to v5.2, where the Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the cookie to be transmitted in plaintext over an HTTP …
- CVE-2023-5866MEDIUMCVSS 5.7EG 5.72023-10-31
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.2.1.
- CVE-2024-0349LOWCVSS 3.7EG 3.72024-01-09
A vulnerability was found in SourceCodester Engineers Online Portal 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to sensitive cookie without secure attribute. …
- CVE-2024-10718HIGHCVSS 7.5EG 5.32025-03-20
In phpipam/phpipam version 1.5.1, the Secure attribute for sensitive cookies in HTTPS sessions is not set. This could cause the user agent to send those cookies in plaintext over an HTTP session, potentially exposing sensitive information.…
- CVE-2024-2493HIGHCVSS 7.5EG 7.52024-04-23
Session Hijacking vulnerability in Hitachi Ops Center Analyzer.This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.1-00.
- CVE-2024-28770MEDIUMCVSS 4.8EG 4.82025-01-27
IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// l…
- CVE-2024-28771MEDIUMCVSS 4.8EG 4.82025-01-27
IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// l…
- CVE-2024-30142LOWCVSS 3.8EG 3.82024-11-07
HCL BigFix Compliance is affected by a missing secure flag on a cookie. If a secure flag is not set, cookies may be stolen by an attacker using XSS, resulting in unauthorized access or session cookies could be transferred over an unencryp…
- CVE-2024-35211MEDIUMCVSS 5.5EG 6.52024-06-11
A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions < V1.2). The affected web server, after a successful login, sets the session cookie on the browser, without applying any security attributes (…
- CVE-2024-39734MEDIUMCVSS 4.3EG 4.32024-07-14
IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting thi…
- CVE-2024-41684MEDIUMCVSS 5.3EG 5.32024-07-26
This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing secure flag for the session cookies associated with the router's web management interface. An attacker with remote access could exploit this by intercepting tra…
- CVE-2024-43180MEDIUMCVSS 4.3EG 4.32024-09-13
IBM Concert 1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cooki…
- CVE-2024-47833MEDIUMCVSS 6.5EG 6.52024-10-09
Taipy is an open-source Python library for easy, end-to-end application development for data scientists and machine learning engineers. In affected versions session cookies are served without Secure and HTTPOnly flags. This issue has been …
- CVE-2024-55897MEDIUMCVSS 4.3EG 4.32025-01-03
IBM PowerHA SystemMirror for i 7.4 and 7.5 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a sit…
- CVE-2024-58317MEDIUMCVSS 5.3EG 5.32025-12-18
A cookie security configuration vulnerability in Kentico Xperience allows attackers to bypass SSL requirements when setting administration cookies via web.config. The vulnerability affects .NET Framework projects by incorrectly handling th…
- CVE-2025-0479HIGHCVSS 8.6EG 0.02025-01-20
This vulnerability exists in the CP Plus Router due to insecure handling of cookie flags used within its web interface. A remote attacker could exploit this vulnerability by intercepting data transmissions during an HTTP session on the vul…
- CVE-2025-24390MEDIUMCVSS 6.8EG 6.82025-01-27
A vulnerability in OTRS Application Server and reverse proxy settings allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 202…
- CVE-2025-24897HIGHCVSS 8.2EG 8.22025-02-11
Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, due to a lack of CSRF protection and the lack of proper security attributes in the authentication cookies of Bu…
- CVE-2025-27450MEDIUMCVSS 6.5EG 6.52025-07-03
The Secure attribute is missing on multiple cookies provided by the MEAC300-FNADE4. An attacker can trick a user to establish an unencrypted HTTP connection to the server and intercept the request containing the PHPSESSID cookie.
- CVE-2025-36011MEDIUMCVSS 4.3EG 4.32025-09-09
IBM Jazz for Service Management 1.1.3.0 through 1.1.3.24 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this l…
- CVE-2025-36026MEDIUMCVSS 4.3EG 4.32025-06-28
IBM Datacap 9.1.7, 9.1.8, and 9.1.9 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the u…
- CVE-2025-36249LOWCVSS 3.7EG 3.72025-10-31
IBM Jazz for Service Management 1.1.3.0 through 1.1.3.25 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this l…
- CVE-2025-52614LOWCVSS 3.5EG 3.52025-10-12
HCL Unica Platform is affected by a Cookie without HTTPOnly Flag Set vulnerability. A malicious agent may be able to induce this event by feeding a user suitable links, either directly or via another web site.
- CVE-2025-52632MEDIUMCVSS 6.5EG 6.52025-10-10
A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.
- CVE-2025-53757HIGHCVSS 8.7EG 0.02025-07-16
This vulnerability exists in Digisol DG-GR6821AC Router due to misconfiguration of both Secure and HttpOnly flags on session cookies associated with the router web interface. A remote attacker could exploit this vulnerability by capturing …
- CVE-2025-8037CRITICALCVSS 9.1EG 9.12025-07-22
Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the `Secure` attribute. This vulnerability was fixed in Firefox 141, Firefox …
- CVE-2026-22617MEDIUMCVSS 5.7EG 5.72026-04-16
Eaton Intelligent Power Protector (IPP) uses an insecure cookie configuration, which could allow a network‑based attacker to intercept the cookie and exploit it through a man‑in‑the‑middle attack. This security issue has been fixe…
- CVE-2026-41017MEDIUMCVSS 5.9EG 0.02026-06-01
Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy (e.g. nginx / Envoy / a managed load balancer that terminate…
Map vulnerabilities like CWE-614 to your infrastructure
EchelonGraph correlates every CVE — across CWE-614 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →