Monthly
IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 fail to set the secure attribute on authorization tokens and session cookies, allowing unauthenticated remote attackers to obtain sensitive cookie values through man-in-the-middle interception via unencrypted HTTP connections. An attacker can trick a user into clicking an HTTP link or embed such a link on a visited website, causing the browser to transmit cookies over unencrypted channels where they can be captured. No public exploit code or active exploitation has been reported at the time of analysis, though the vulnerability carries a CVSS score of 4.3 reflecting the requirement for user interaction.
JetBrains Datalore versions before 2026.1 contain a session hijacking vulnerability (CVE-2026-32745) caused by missing secure attribute configuration on session cookies, allowing attackers on the same network to intercept and reuse session tokens. The vulnerability affects all Datalore versions prior to 2026.1 and requires adjacent network access combined with user interaction; while the CVSS score is moderate (6.3), the impact is high for confidentiality and enables unauthorized account access.
PcVue versions 12.0.0 through 16.3.3 lack Secure and SameSite cookie attributes in the GraphicalData web services and WebClient application, enabling attackers to intercept session cookies over unencrypted connections and perform cross-site request forgery attacks. This vulnerability affects organizations using the affected PcVue versions and could allow unauthorized actions on behalf of authenticated users. No patch is currently available for this medium-severity issue.
IBM Jazz for Service Management 1.1.3.0 through 1.1.3.24 does not set the secure attribute on authorization tokens or session cookies. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A remote code execution vulnerability in Secure attribute (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
CVE-2025-36026 is a security vulnerability (CVSS 4.3). Remediation should follow standard vulnerability management procedures.
In phpipam/phpipam version 1.5.1, the Secure attribute for sensitive cookies in HTTPS sessions is not set. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
A vulnerability in OTRS Application Server and reverse proxy settings allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.
IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 does not set the secure attribute on authorization tokens or session cookies. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable. No vendor patch available.
IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 does not set the secure attribute on authorization tokens or session cookies. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable. No vendor patch available.
IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 fail to set the secure attribute on authorization tokens and session cookies, allowing unauthenticated remote attackers to obtain sensitive cookie values through man-in-the-middle interception via unencrypted HTTP connections. An attacker can trick a user into clicking an HTTP link or embed such a link on a visited website, causing the browser to transmit cookies over unencrypted channels where they can be captured. No public exploit code or active exploitation has been reported at the time of analysis, though the vulnerability carries a CVSS score of 4.3 reflecting the requirement for user interaction.
JetBrains Datalore versions before 2026.1 contain a session hijacking vulnerability (CVE-2026-32745) caused by missing secure attribute configuration on session cookies, allowing attackers on the same network to intercept and reuse session tokens. The vulnerability affects all Datalore versions prior to 2026.1 and requires adjacent network access combined with user interaction; while the CVSS score is moderate (6.3), the impact is high for confidentiality and enables unauthorized account access.
PcVue versions 12.0.0 through 16.3.3 lack Secure and SameSite cookie attributes in the GraphicalData web services and WebClient application, enabling attackers to intercept session cookies over unencrypted connections and perform cross-site request forgery attacks. This vulnerability affects organizations using the affected PcVue versions and could allow unauthorized actions on behalf of authenticated users. No patch is currently available for this medium-severity issue.
IBM Jazz for Service Management 1.1.3.0 through 1.1.3.24 does not set the secure attribute on authorization tokens or session cookies. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A remote code execution vulnerability in Secure attribute (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
CVE-2025-36026 is a security vulnerability (CVSS 4.3). Remediation should follow standard vulnerability management procedures.
In phpipam/phpipam version 1.5.1, the Secure attribute for sensitive cookies in HTTPS sessions is not set. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
A vulnerability in OTRS Application Server and reverse proxy settings allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.
IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 does not set the secure attribute on authorization tokens or session cookies. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable. No vendor patch available.
IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 does not set the secure attribute on authorization tokens or session cookies. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable. No vendor patch available.