Monthly
Session hijacking in Pinpoint (open-source APM) through version 3.1.0 stems from the pinpointJwt session cookie being issued without the HttpOnly and Secure flags, letting client-side JavaScript read it via document.cookie and allowing it to traverse cleartext HTTP. An attacker who can land a stored or reflected XSS payload, or who can sniff network traffic, can steal the JWT session token and impersonate the victim. There is no public exploit identified at time of analysis and the issue is not on CISA KEV; the CVSS 4.0 base score is 7.6.
Session cookie hijacking in Boruta authorization server prior to 0.9.1 allows network-positioned attackers to capture authentication and remember-me cookies because they lack the Secure attribute and may be transmitted over plaintext HTTP. The flaw affects boruta_web, boruta_identity, and boruta_admin components and enables full user impersonation, including potentially administrative sessions on an OAuth 2.0/OpenID Connect identity provider. No public exploit identified at time of analysis and the issue is not in CISA KEV.
OIDC session cookie exposure in TwiN gatus 5.36.0 allows network-positioned attackers to intercept authentication tokens because the `setSessionCookie` function in `security/oidc.go` sets session cookies without the Secure attribute, permitting transmission over unencrypted HTTP connections. Only deployments with OIDC authentication enabled are affected, and exploitation requires high attack complexity due to mandatory network interception positioning. No public exploit code has been identified; the upstream maintainer has closed the associated GitHub issue (#1689) as 'not planned', meaning no vendor patch will be released.
Session and OIDC state cookies in nebula-mesh up to v0.3.1 are transmitted without the Secure attribute, allowing a network-adjacent attacker who can observe a single plaintext HTTP request to recover the session cookie and fully impersonate the operator for up to 24 hours. The OIDC state cookie carries an additional CSRF risk during its 10-minute validity window, enabling an attacker to hijack the OIDC callback flow. A working reproducer is included in the GHSA advisory; no public exploit framework distribution is known and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Session token disclosure in HAX CMS versions 25.0.0 through 26.0.0 (exclusive) stems from the haxcms_refresh_token cookie being issued without the Secure flag, allowing the browser to send it over plaintext HTTP. A network-positioned attacker can capture the refresh token via passive sniffing and hijack the victim's authenticated session. No public exploit identified at time of analysis, and the vendor has published a fix in version 26.0.0.
HCL iControl exposes session cookies without the Secure or SameSite attributes set, and with the cookie path scoped to root, enabling network-adjacent attackers with authenticated sessions to perform limited integrity modifications under high-complexity conditions. The missing Secure attribute allows cookies to be transmitted over unencrypted HTTP channels, while the absent SameSite attribute opens a cross-site request forgery vector. CVSS scores this at 3.1 (Low); no public exploit code exists and it is not listed in CISA KEV.
JWT session cookies in Apache Airflow's JWTRefreshMiddleware are set without the Secure flag when Airflow runs behind an HTTPS-terminating reverse proxy, exposing them to network interception. Affected versions span Apache Airflow 3.0.0 through 3.2.1 (exclusive), where the middleware checked only for a local ssl_cert configuration setting to determine cookie security - missing the common deployment pattern where TLS is offloaded at a load balancer or proxy layer. An unauthenticated network adversary positioned for man-in-the-middle interception could capture a user's JWT refresh cookie and take over their authenticated session. No public exploit code or CISA KEV listing exists at time of analysis; EPSS of 0.01% reflects low automated exploitation likelihood.
Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without 'secure' attribute by default.
NocoDB's refresh-token cookie in versions up to and including 0.301.3 was misconfigured in `setTokenCookie` - issued with only `httpOnly: true` and no `secure` or `sameSite` attributes - exposing two distinct attack paths: cookie interception over plain HTTP networks and CSRF against the `POST /api/v2/auth/token/refresh` endpoint, which returns a new JWT without validating any CSRF token. Because refresh tokens carry multi-day expiry windows via `NC_REFRESH_TOKEN_EXP_IN_DAYS`, successful exploitation yields a long-lived credential for follow-on account access. No public exploit has been identified at time of analysis and no released patched version is confirmed, despite a documented fix in the GitHub advisory GHSA-f74w-272x-mqcv.
Eaton Intelligent Power Protector (IPP) software uses insecure cookie configuration that allows network attackers to intercept session cookies via man-in-the-middle attack when high-privilege users interact with the application. CVSS 5.7 reflects the requirement for high privileges and user interaction, combined with high confidentiality and integrity impact. Eaton has released a patched version available on their download center.
Session hijacking in Pinpoint (open-source APM) through version 3.1.0 stems from the pinpointJwt session cookie being issued without the HttpOnly and Secure flags, letting client-side JavaScript read it via document.cookie and allowing it to traverse cleartext HTTP. An attacker who can land a stored or reflected XSS payload, or who can sniff network traffic, can steal the JWT session token and impersonate the victim. There is no public exploit identified at time of analysis and the issue is not on CISA KEV; the CVSS 4.0 base score is 7.6.
Session cookie hijacking in Boruta authorization server prior to 0.9.1 allows network-positioned attackers to capture authentication and remember-me cookies because they lack the Secure attribute and may be transmitted over plaintext HTTP. The flaw affects boruta_web, boruta_identity, and boruta_admin components and enables full user impersonation, including potentially administrative sessions on an OAuth 2.0/OpenID Connect identity provider. No public exploit identified at time of analysis and the issue is not in CISA KEV.
OIDC session cookie exposure in TwiN gatus 5.36.0 allows network-positioned attackers to intercept authentication tokens because the `setSessionCookie` function in `security/oidc.go` sets session cookies without the Secure attribute, permitting transmission over unencrypted HTTP connections. Only deployments with OIDC authentication enabled are affected, and exploitation requires high attack complexity due to mandatory network interception positioning. No public exploit code has been identified; the upstream maintainer has closed the associated GitHub issue (#1689) as 'not planned', meaning no vendor patch will be released.
Session and OIDC state cookies in nebula-mesh up to v0.3.1 are transmitted without the Secure attribute, allowing a network-adjacent attacker who can observe a single plaintext HTTP request to recover the session cookie and fully impersonate the operator for up to 24 hours. The OIDC state cookie carries an additional CSRF risk during its 10-minute validity window, enabling an attacker to hijack the OIDC callback flow. A working reproducer is included in the GHSA advisory; no public exploit framework distribution is known and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Session token disclosure in HAX CMS versions 25.0.0 through 26.0.0 (exclusive) stems from the haxcms_refresh_token cookie being issued without the Secure flag, allowing the browser to send it over plaintext HTTP. A network-positioned attacker can capture the refresh token via passive sniffing and hijack the victim's authenticated session. No public exploit identified at time of analysis, and the vendor has published a fix in version 26.0.0.
HCL iControl exposes session cookies without the Secure or SameSite attributes set, and with the cookie path scoped to root, enabling network-adjacent attackers with authenticated sessions to perform limited integrity modifications under high-complexity conditions. The missing Secure attribute allows cookies to be transmitted over unencrypted HTTP channels, while the absent SameSite attribute opens a cross-site request forgery vector. CVSS scores this at 3.1 (Low); no public exploit code exists and it is not listed in CISA KEV.
JWT session cookies in Apache Airflow's JWTRefreshMiddleware are set without the Secure flag when Airflow runs behind an HTTPS-terminating reverse proxy, exposing them to network interception. Affected versions span Apache Airflow 3.0.0 through 3.2.1 (exclusive), where the middleware checked only for a local ssl_cert configuration setting to determine cookie security - missing the common deployment pattern where TLS is offloaded at a load balancer or proxy layer. An unauthenticated network adversary positioned for man-in-the-middle interception could capture a user's JWT refresh cookie and take over their authenticated session. No public exploit code or CISA KEV listing exists at time of analysis; EPSS of 0.01% reflects low automated exploitation likelihood.
Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without 'secure' attribute by default.
NocoDB's refresh-token cookie in versions up to and including 0.301.3 was misconfigured in `setTokenCookie` - issued with only `httpOnly: true` and no `secure` or `sameSite` attributes - exposing two distinct attack paths: cookie interception over plain HTTP networks and CSRF against the `POST /api/v2/auth/token/refresh` endpoint, which returns a new JWT without validating any CSRF token. Because refresh tokens carry multi-day expiry windows via `NC_REFRESH_TOKEN_EXP_IN_DAYS`, successful exploitation yields a long-lived credential for follow-on account access. No public exploit has been identified at time of analysis and no released patched version is confirmed, despite a documented fix in the GitHub advisory GHSA-f74w-272x-mqcv.
Eaton Intelligent Power Protector (IPP) software uses insecure cookie configuration that allows network attackers to intercept session cookies via man-in-the-middle attack when high-privilege users interact with the application. CVSS 5.7 reflects the requirement for high privileges and user interaction, combined with high confidentiality and integrity impact. Eaton has released a patched version available on their download center.