Monthly
Session hijacking via JavaScript-readable authentication cookies in Budibase versions prior to 3.35.10 allows any Cross-Site Scripting (XSS) vulnerability to escalate into full account takeover. The budibase:auth cookie containing the JWT session token is set with httpOnly: false, enabling JavaScript to read it via document.cookie. Combined with confirmed prior XSS vulnerabilities in Budibase (GHSA-gp5x-2v54-v2q5), attackers can exfiltrate session tokens and gain persistent access to victim accounts. The cookie also lacks secure and sameSite flags, exposing tokens over plaintext HTTP. No public exploit identified at time of analysis. EPSS data not available. Patch available in version 3.35.10.
Professional Service Automation contains a vulnerability that allows attackers to client-side scripts access to session cookie values (CVSS 6.5).
This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the missing HTTPOnly flag for session cookies associated with the web-based administrative interface.
A remote code execution vulnerability in HttpOnly flag (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
CVE-2025-49189 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
CE Phoenix is a free, open-source eCommerce platform. A stored cross-site scripting (XSS) vulnerability was discovered in CE Phoenix versions 1.0.9.9 through 1.1.0.2 where an attacker can inject malicious JavaScript into the testimonial description field. Once submitted, if the shop owner (admin) approves the testimonial, the script executes in the context of any user visiting the testimonial page. Because the session cookies are not marked with the `HttpOnly` flag, they can be exfiltrated by the attacker - potentially leading to account takeover. Version 1.1.0.3 fixes the issue.
An issue was discovered in Znuny through 7.1.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cookie policy is observable via built-in browser tools. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Session hijacking via JavaScript-readable authentication cookies in Budibase versions prior to 3.35.10 allows any Cross-Site Scripting (XSS) vulnerability to escalate into full account takeover. The budibase:auth cookie containing the JWT session token is set with httpOnly: false, enabling JavaScript to read it via document.cookie. Combined with confirmed prior XSS vulnerabilities in Budibase (GHSA-gp5x-2v54-v2q5), attackers can exfiltrate session tokens and gain persistent access to victim accounts. The cookie also lacks secure and sameSite flags, exposing tokens over plaintext HTTP. No public exploit identified at time of analysis. EPSS data not available. Patch available in version 3.35.10.
Professional Service Automation contains a vulnerability that allows attackers to client-side scripts access to session cookie values (CVSS 6.5).
This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the missing HTTPOnly flag for session cookies associated with the web-based administrative interface.
A remote code execution vulnerability in HttpOnly flag (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
CVE-2025-49189 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
CE Phoenix is a free, open-source eCommerce platform. A stored cross-site scripting (XSS) vulnerability was discovered in CE Phoenix versions 1.0.9.9 through 1.1.0.2 where an attacker can inject malicious JavaScript into the testimonial description field. Once submitted, if the shop owner (admin) approves the testimonial, the script executes in the context of any user visiting the testimonial page. Because the session cookies are not marked with the `HttpOnly` flag, they can be exfiltrated by the attacker - potentially leading to account takeover. Version 1.1.0.3 fixes the issue.
An issue was discovered in Znuny through 7.1.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cookie policy is observable via built-in browser tools. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.