Skip to main content

CWE-539

Use of Persistent Cookies Containing Sensitive Information

7 CVEs Avg CVSS 5.7 MITRE
1
CRITICAL
2
HIGH
2
MEDIUM
2
LOW
0
POC
0
KEV

Monthly

CVE-2026-35192 PyPI LOW PATCH Monitor

Django 6.0 before 6.0.5 and 5.2 before 5.2.14 fail to vary response headers on session cookies when SESSION_SAVE_EVERY_REQUEST is enabled but the session is unmodified, allowing remote attackers with user interaction to steal session tokens from cached public pages. The vulnerability affects server configurations that cache responses aggressively while maintaining per-request session handling, exposing authenticated users to session hijacking after visiting pages served from cache.

Python Information Disclosure
NVD VulDB
CVSS 4.0
2.3
EPSS
0.1%
CVE-2026-24318 MEDIUM This Month

Insecure session management in SAP Business Objects Business Intelligence Platform allows unauthenticated attackers to obtain and reuse valid session tokens, enabling unauthorized access to victim sessions with moderate complexity. An attacker exploiting this vulnerability could access or modify information within the compromised session's scope, affecting confidentiality and integrity. The attack requires user interaction (UI:R) and high attack complexity (AC:H), limiting real-world exploitation but still warranting prioritized remediation for organizations running affected BI Platform versions.

SAP Authentication Bypass
NVD VulDB
CVSS 3.1
4.2
EPSS
0.0%
CVE-2025-52633 LOW Monitor

HCL AION is affected by a Permanent Cookie Containing Sensitive Session Information vulnerability. It is storing sensitive session data in persistent cookies may increase the risk of unauthorized access if the cookies are intercepted or compromised. [CVSS 3.1 LOW]

Authentication Bypass Aion
NVD
CVSS 3.1
3.1
EPSS
0.0%
CVE-2025-27673 CRITICAL Act Now

Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Cookie Returned in Response Body OVE-20230524-0017. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Vasion Print Virtual Appliance
NVD
CVSS 3.1
9.1
EPSS
0.2%
CVE-2024-39275 HIGH This Week

Cookies of authenticated Advantech ADAM-5630 users remain as active valid cookies when a session is closed. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Adam 5630 Firmware
NVD
CVSS 4.0
8.5
EPSS
0.4%
CVE-2023-30861 PyPI HIGH PATCH This Week

Flask is a lightweight WSGI web application framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Flask
NVD GitHub
CVSS 3.1
7.5
EPSS
1.3%
CVE-2021-27463 MEDIUM This Month

A vulnerability has been found in multiple revisions of Emerson Rosemount X-STREAM Gas Analyzer. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure X Stream Enhanced Xegp Firmware X Stream Enhanced Xegk Firmware X Stream Enhanced Xefd Firmware X Stream Enhanced Xexf Firmware
NVD
CVSS 3.1
5.3
EPSS
0.9%
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Django 6.0 before 6.0.5 and 5.2 before 5.2.14 fail to vary response headers on session cookies when SESSION_SAVE_EVERY_REQUEST is enabled but the session is unmodified, allowing remote attackers with user interaction to steal session tokens from cached public pages. The vulnerability affects server configurations that cache responses aggressively while maintaining per-request session handling, exposing authenticated users to session hijacking after visiting pages served from cache.

Python Information Disclosure
NVD VulDB
EPSS 0% CVSS 4.2
MEDIUM This Month

Insecure session management in SAP Business Objects Business Intelligence Platform allows unauthenticated attackers to obtain and reuse valid session tokens, enabling unauthorized access to victim sessions with moderate complexity. An attacker exploiting this vulnerability could access or modify information within the compromised session's scope, affecting confidentiality and integrity. The attack requires user interaction (UI:R) and high attack complexity (AC:H), limiting real-world exploitation but still warranting prioritized remediation for organizations running affected BI Platform versions.

SAP Authentication Bypass
NVD VulDB
EPSS 0% CVSS 3.1
LOW Monitor

HCL AION is affected by a Permanent Cookie Containing Sensitive Session Information vulnerability. It is storing sensitive session data in persistent cookies may increase the risk of unauthorized access if the cookies are intercepted or compromised. [CVSS 3.1 LOW]

Authentication Bypass Aion
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Cookie Returned in Response Body OVE-20230524-0017. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Vasion Print Virtual Appliance
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Cookies of authenticated Advantech ADAM-5630 users remain as active valid cookies when a session is closed. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Adam 5630 Firmware
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Flask is a lightweight WSGI web application framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Flask
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM This Month

A vulnerability has been found in multiple revisions of Emerson Rosemount X-STREAM Gas Analyzer. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure X Stream Enhanced Xegp Firmware X Stream Enhanced Xegk Firmware +2
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy