Total
69 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-65212 | 1 Njhyst | 2 Hy511, Hy511 Firmware | 2026-01-29 | N/A | 9.8 CRITICAL |
| An issue was discovered in NJHYST HY511 POE core before 2.1 and plugins before 0.1. The vulnerability stems from the device's insufficient cookie verification, allowing an attacker to directly request the configuration file address and download the core configuration file without logging into the device management backend. By reading the corresponding username and self-decrypted MD5 password in the core configuration file, the attacker can directly log in to the backend, thereby bypassing the front-end backend login page. | |||||
| CVE-2025-64447 | 1 Fortinet | 1 Fortiweb | 2025-12-09 | N/A | 8.1 HIGH |
| A reliance on cookies without validation and integrity checking vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an unauthenticated attacker to execute arbitrary operations on the system via crafted HTTP or HTTPS request via forged cookies, requiring prior knowledge of the FortiWeb serial number. | |||||
| CVE-2025-2395 | 1 Edetw | 1 U-office Force | 2025-11-18 | N/A | 9.8 CRITICAL |
| The U-Office Force from e-Excellence has an Improper Authentication vulnerability, allowing unauthenticated remote attackers to use a particular API and alter cookies to log in as an administrator. | |||||
| CVE-2025-59247 | 1 Microsoft | 1 Azure Playfab | 2025-10-20 | N/A | 8.8 HIGH |
| Azure PlayFab Elevation of Privilege Vulnerability | |||||
| CVE-2024-28288 | 1 Ruijie | 2 Rg-nbr700gw, Rg-nbr700gw Firmware | 2025-06-30 | N/A | 9.8 CRITICAL |
| Ruijie RG-NBR700GW 10.3(4b12) router lacks cookie verification when resetting the password, resulting in an administrator password reset vulnerability. An attacker can use this vulnerability to log in to the device and disrupt the business of the enterprise. | |||||
| CVE-2021-20450 | 1 Ibm | 1 Cognos Controller | 2025-06-18 | N/A | 4.3 MEDIUM |
| IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 196640. | |||||
| CVE-2021-41819 | 6 Debian, Fedoraproject, Opensuse and 3 more | 9 Debian Linux, Fedora, Factory and 6 more | 2025-05-22 | 5.0 MEDIUM | 7.5 HIGH |
| CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby. | |||||
| CVE-2025-31120 | 1 Namelessmc | 1 Nameless | 2025-05-13 | N/A | 5.3 MEDIUM |
| NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, an insecure view count mechanism in the forum page allows an unauthenticated attacker to artificially increase the view count. The application relies on a client-side cookie (nl-topic-[tid]) (or session variable for guests) to determine if a view should be counted. When a client does not provide the cookie, every page request increments the counter, leading to incorrect view metrics. This issue has been patched in version 2.2.0. | |||||
| CVE-2024-55211 | 1 Think | 2 Tk-rt-wr135g, Tk-rt-wr135g Firmware | 2025-04-25 | N/A | 8.4 HIGH |
| An issue in Think Router Tk-Rt-Wr135G V3.0.2-X000 allows attackers to bypass authentication via a crafted cookie. | |||||
| CVE-2024-1551 | 2 Debian, Mozilla | 3 Debian Linux, Firefox, Thunderbird | 2025-04-02 | N/A | 6.1 MEDIUM |
| Set-Cookie response headers were being incorrectly honored in multipart HTTP responses. If an attacker could control the Content-Type response header, as well as control part of the response body, they could inject Set-Cookie response headers that would have been honored by the browser. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8. | |||||
| CVE-2024-39734 | 1 Ibm | 1 Datacap | 2025-03-25 | N/A | 4.3 MEDIUM |
| IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 296001. | |||||
| CVE-2023-35885 | 1 Mgt-commerce | 1 Cloudpanel | 2024-12-09 | N/A | 9.8 CRITICAL |
| CloudPanel 2 before 2.3.1 has insecure file-manager cookie authentication. | |||||
| CVE-2023-32612 | 1 Wavlink | 2 Wl-wn531ax2, Wl-wn531ax2 Firmware | 2024-11-27 | N/A | 7.2 HIGH |
| Client-side enforcement of server-side security issue exists in WL-WN531AX2 firmware versions prior to 2023526, which may allow an attacker with an administrative privilege to execute OS commands with the root privilege. | |||||
| CVE-2023-45141 | 1 Gofiber | 1 Fiber | 2024-11-21 | N/A | 8.6 HIGH |
| Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions being taken on the user's behalf, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. This vulnerability has been addressed in version 2.50.0 and users are advised to upgrade. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes. | |||||
| CVE-2023-45128 | 1 Gofiber | 1 Fiber | 2024-11-21 | N/A | 10.0 CRITICAL |
| Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow an attacker to inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. This issue has been addressed in version 2.50.0 and users are advised to upgrade. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes as defense in depth measures. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-41084 | 1 Socomec | 2 Modulys Gp, Modulys Gp Firmware | 2024-11-21 | N/A | 10.0 CRITICAL |
| Session management within the web application is incorrect and allows attackers to steal session cookies to perform a multitude of actions that the web app allows on the device. | |||||
| CVE-2023-3747 | 1 Cloudflare | 1 Warp | 2024-11-21 | N/A | 5.5 MEDIUM |
| Zero Trust Administrators have the ability to disallow end users from disabling WARP on their devices. Override codes can also be created by the Administrators to allow a device to temporarily be disconnected from WARP, however, due to lack of server side validation, an attacker with local access to the device, could extend the maximum allowed disconnected time of WARP client granted by an override code by changing the date & time on the local device where WARP is running. | |||||
| CVE-2023-32725 | 1 Zabbix | 2 Frontend, Zabbix Server | 2024-11-21 | N/A | 9.6 CRITICAL |
| The website configured in the URL widget will receive a session cookie when testing or executing scheduled reports. The received session cookie can then be used to access the frontend as the particular user. | |||||
| CVE-2022-3083 | 1 Landisgyr | 2 E850, E850 Firmware | 2024-11-21 | N/A | 3.9 LOW |
| All versions of Landis+Gyr E850 (ZMQ200) are vulnerable to CWE-784: Reliance on Cookies Without Validation and Integrity. The device's web application navigation depends on the value of the session cookie. The web application could become inaccessible for the user if an attacker changes the cookie values. | |||||
| CVE-2022-38297 | 1 Ucms Project | 1 Ucms | 2024-11-21 | N/A | 9.8 CRITICAL |
| UCMS v1.6.0 contains an authentication bypass vulnerability which is exploited via cookie poisoning. | |||||