Skip to main content

CWE-1275

Sensitive Cookie with Improper SameSite Attribute

8 CVEs Avg CVSS 5.2 MITRE
1
CRITICAL
0
HIGH
5
MEDIUM
2
LOW
0
POC
0
KEV

Monthly

CVE-2026-55688 MEDIUM PATCH This Month

Cookie tossing in AsyncHttpClient (AHC) library allows a malicious HTTP server to plant cookies scoped to an unrelated trusted domain, affecting versions 2.0.0-2.15.x and 3.0.0.Beta1-3.0.10. ThreadSafeCookieStore accepts and stores a cookie's Domain attribute value without verifying that the responding host is authorised to set cookies for that domain, so any server the client contacts can inject a cookie that AHC will automatically forward to the targeted domain on subsequent requests. Java applications sharing a single AHC instance - and therefore its default shared CookieStore - across calls to both attacker-influenced and trusted hosts are the primary attack surface; no public exploit has been identified at time of analysis, and vendor-released fixes are available in 2.16.0 and 3.0.11.

Code Injection Java Async Http Client
NVD GitHub
CVSS 3.1
4.0
EPSS
0.2%
CVE-2025-52628 MEDIUM This Month

Aion versions up to 2.0 contains a vulnerability that allows attackers to cookies to be sent in cross-site requests, potentially increasing exposure to cr (CVSS 4.6).

CSRF Aion
NVD
CVSS 3.1
4.6
EPSS
0.0%
CVE-2025-36134 LOW Monitor

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1 could disclose sensitive information due to a missing or insecure SameSite. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure IBM Sterling B2b Integrator Sterling File Gateway
NVD
CVSS 3.1
3.7
EPSS
0.1%
CVE-2024-42212 MEDIUM This Month

HCL BigFix Compliance is affected by an improper or missing SameSite attribute. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Bigfix Compliance
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2024-30155 MEDIUM This Month

HCL SX does not set the secure attribute on authorization tokens or session cookies. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

CSRF Hcl Sx
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2025-24387 MEDIUM This Month

A vulnerability in OTRS Application Server allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. A request to an OTRS endpoint from a possible malicious web site, would send the authentication cookie, performing an unwanted read operation. [CVSS 4.8 MEDIUM]

Information Disclosure Suse
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2024-43173 LOW Monitor

IBM Concert 1.0.0 and 1.0.1 vulnerable to attacks that rely on the use of cookies without the SameSite attribute. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

IBM Information Disclosure Concert
NVD
CVSS 3.1
3.7
EPSS
0.2%
CVE-2024-6611 CRITICAL Act Now

A nested iframe, triggering a cross-site navigation, could send SameSite=Strict or Lax cookies. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox Thunderbird
NVD
CVSS 3.1
9.8
EPSS
0.7%
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

Cookie tossing in AsyncHttpClient (AHC) library allows a malicious HTTP server to plant cookies scoped to an unrelated trusted domain, affecting versions 2.0.0-2.15.x and 3.0.0.Beta1-3.0.10. ThreadSafeCookieStore accepts and stores a cookie's Domain attribute value without verifying that the responding host is authorised to set cookies for that domain, so any server the client contacts can inject a cookie that AHC will automatically forward to the targeted domain on subsequent requests. Java applications sharing a single AHC instance - and therefore its default shared CookieStore - across calls to both attacker-influenced and trusted hosts are the primary attack surface; no public exploit has been identified at time of analysis, and vendor-released fixes are available in 2.16.0 and 3.0.11.

Code Injection Java Async Http Client
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM This Month

Aion versions up to 2.0 contains a vulnerability that allows attackers to cookies to be sent in cross-site requests, potentially increasing exposure to cr (CVSS 4.6).

CSRF Aion
NVD
EPSS 0% CVSS 3.7
LOW Monitor

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1 could disclose sensitive information due to a missing or insecure SameSite. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure IBM Sterling B2b Integrator +1
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

HCL BigFix Compliance is affected by an improper or missing SameSite attribute. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Bigfix Compliance
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

HCL SX does not set the secure attribute on authorization tokens or session cookies. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

CSRF Hcl Sx
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

A vulnerability in OTRS Application Server allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. A request to an OTRS endpoint from a possible malicious web site, would send the authentication cookie, performing an unwanted read operation. [CVSS 4.8 MEDIUM]

Information Disclosure Suse
NVD
EPSS 0% CVSS 3.7
LOW Monitor

IBM Concert 1.0.0 and 1.0.1 vulnerable to attacks that rely on the use of cookies without the SameSite attribute. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

IBM Information Disclosure Concert
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

A nested iframe, triggering a cross-site navigation, could send SameSite=Strict or Lax cookies. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mozilla Firefox +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy