Monthly
Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without 'secure' attribute by default.
NocoDB's refresh-token cookie in versions up to and including 0.301.3 was misconfigured in `setTokenCookie` - issued with only `httpOnly: true` and no `secure` or `sameSite` attributes - exposing two distinct attack paths: cookie interception over plain HTTP networks and CSRF against the `POST /api/v2/auth/token/refresh` endpoint, which returns a new JWT without validating any CSRF token. Because refresh tokens carry multi-day expiry windows via `NC_REFRESH_TOKEN_EXP_IN_DAYS`, successful exploitation yields a long-lived credential for follow-on account access. No public exploit has been identified at time of analysis and no released patched version is confirmed, despite a documented fix in the GitHub advisory GHSA-f74w-272x-mqcv.
Eaton Intelligent Power Protector (IPP) software uses insecure cookie configuration that allows network attackers to intercept session cookies via man-in-the-middle attack when high-privilege users interact with the application. CVSS 5.7 reflects the requirement for high privileges and user interaction, combined with high confidentiality and integrity impact. Eaton has released a patched version available on their download center.
IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 fail to set the secure attribute on authorization tokens and session cookies, allowing unauthenticated remote attackers to obtain sensitive cookie values through man-in-the-middle interception via unencrypted HTTP connections. An attacker can trick a user into clicking an HTTP link or embed such a link on a visited website, causing the browser to transmit cookies over unencrypted channels where they can be captured. No public exploit code or active exploitation has been reported at the time of analysis, though the vulnerability carries a CVSS score of 4.3 reflecting the requirement for user interaction.
JetBrains Datalore versions before 2026.1 contain a session hijacking vulnerability (CVE-2026-32745) caused by missing secure attribute configuration on session cookies, allowing attackers on the same network to intercept and reuse session tokens. The vulnerability affects all Datalore versions prior to 2026.1 and requires adjacent network access combined with user interaction; while the CVSS score is moderate (6.3), the impact is high for confidentiality and enables unauthorized account access.
PcVue versions 12.0.0 through 16.3.3 lack Secure and SameSite cookie attributes in the GraphicalData web services and WebClient application, enabling attackers to intercept session cookies over unencrypted connections and perform cross-site request forgery attacks. This vulnerability affects organizations using the affected PcVue versions and could allow unauthorized actions on behalf of authenticated users. No patch is currently available for this medium-severity issue.
A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.
IBM Jazz for Service Management 1.1.3.0 through 1.1.3.24 does not set the secure attribute on authorization tokens or session cookies. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cookie shadowing in Mozilla Firefox (versions prior to 141 and ESR prior to 140.1) and Thunderbird (versions prior to 141 and ESR prior to 140.1) allows remote unauthenticated attackers to bypass Secure cookie protections and access or modify session data. A nameless cookie containing an equals sign set over insecure HTTP can override cookies with the Secure attribute, enabling session hijacking or authentication bypass. No public exploit identified at time of analysis, though the attack complexity is low (CVSS AC:L) with network-based attack vector requiring no user interaction.
A remote code execution vulnerability in Secure attribute (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without 'secure' attribute by default.
NocoDB's refresh-token cookie in versions up to and including 0.301.3 was misconfigured in `setTokenCookie` - issued with only `httpOnly: true` and no `secure` or `sameSite` attributes - exposing two distinct attack paths: cookie interception over plain HTTP networks and CSRF against the `POST /api/v2/auth/token/refresh` endpoint, which returns a new JWT without validating any CSRF token. Because refresh tokens carry multi-day expiry windows via `NC_REFRESH_TOKEN_EXP_IN_DAYS`, successful exploitation yields a long-lived credential for follow-on account access. No public exploit has been identified at time of analysis and no released patched version is confirmed, despite a documented fix in the GitHub advisory GHSA-f74w-272x-mqcv.
Eaton Intelligent Power Protector (IPP) software uses insecure cookie configuration that allows network attackers to intercept session cookies via man-in-the-middle attack when high-privilege users interact with the application. CVSS 5.7 reflects the requirement for high privileges and user interaction, combined with high confidentiality and integrity impact. Eaton has released a patched version available on their download center.
IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 fail to set the secure attribute on authorization tokens and session cookies, allowing unauthenticated remote attackers to obtain sensitive cookie values through man-in-the-middle interception via unencrypted HTTP connections. An attacker can trick a user into clicking an HTTP link or embed such a link on a visited website, causing the browser to transmit cookies over unencrypted channels where they can be captured. No public exploit code or active exploitation has been reported at the time of analysis, though the vulnerability carries a CVSS score of 4.3 reflecting the requirement for user interaction.
JetBrains Datalore versions before 2026.1 contain a session hijacking vulnerability (CVE-2026-32745) caused by missing secure attribute configuration on session cookies, allowing attackers on the same network to intercept and reuse session tokens. The vulnerability affects all Datalore versions prior to 2026.1 and requires adjacent network access combined with user interaction; while the CVSS score is moderate (6.3), the impact is high for confidentiality and enables unauthorized account access.
PcVue versions 12.0.0 through 16.3.3 lack Secure and SameSite cookie attributes in the GraphicalData web services and WebClient application, enabling attackers to intercept session cookies over unencrypted connections and perform cross-site request forgery attacks. This vulnerability affects organizations using the affected PcVue versions and could allow unauthorized actions on behalf of authenticated users. No patch is currently available for this medium-severity issue.
A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.
IBM Jazz for Service Management 1.1.3.0 through 1.1.3.24 does not set the secure attribute on authorization tokens or session cookies. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cookie shadowing in Mozilla Firefox (versions prior to 141 and ESR prior to 140.1) and Thunderbird (versions prior to 141 and ESR prior to 140.1) allows remote unauthenticated attackers to bypass Secure cookie protections and access or modify session data. A nameless cookie containing an equals sign set over insecure HTTP can override cookies with the Secure attribute, enabling session hijacking or authentication bypass. No public exploit identified at time of analysis, though the attack complexity is low (CVSS AC:L) with network-based attack vector requiring no user interaction.
A remote code execution vulnerability in Secure attribute (CVSS 6.5). Remediation should follow standard vulnerability management procedures.