CWE-614 · Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
53 CVEs classified under CWE-614 (Sensitive Cookie in HTTPS Session Without 'Secure' Attribute). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-24897 | High | 8.2 | 2025-02-11 | Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, due to a lack of CSRF protectio… |
CVE-2024-2493 | High | 7.5 | 2024-04-23 | Session Hijacking vulnerability in Hitachi Ops Center Analyzer.This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.1-00. |
CVE-2022-21940 | High | 7.5 | 2023-02-09 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and v… |
CVE-2022-3251 | High | 7.5 | 2022-09-21 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/minarca prior to 4.2.2. |
CVE-2022-3174 | High | 7.5 | 2022-09-13 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.2. |
CVE-2022-25151 | High | 7.5 | 2022-06-08 | Within the Service Desk module of the ITarian platform (SAAS and on-premise), a remote attacker can obtain sensitive information, caused by the failure to set… |
CVE-2021-27764 | High | 7.4 | 2022-05-06 | Cookie without HTTPONLY flag set. NUMBER cookie(s) was set without Secure or HTTPOnly flags. The images show the cookie with the missing flag. (WebUI) |
CVE-2025-24390 | Medium | 6.8 | 2025-01-27 | A vulnerability in OTRS Application Server and reverse proxy settings allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS… |
CVE-2026-43828 | Medium | 6.5 | 2026-05-25 | Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0… |
CVE-2025-52632 | Medium | 6.5 | 2025-10-10 | A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0. |
CVE-2025-27450 | Medium | 6.5 | 2025-07-03 | The Secure attribute is missing on multiple cookies provided by the MEAC300-FNADE4. An attacker can trick a user to establish an unencrypted HTTP connection to… |
CVE-2026-32745 | Medium | 6.3 | 2026-03-13 | In JetBrains Datalore before 2026.1 session hijacking was possible due to missing secure attribute for cookie settings |
CVE-2023-5866 | Medium | 6.3 | 2023-10-31 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.2.1. |
CVE-2022-4409 | Medium | 6.3 | 2022-12-11 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.1.9. |
CVE-2026-41017 | Medium | 5.9 | 2026-06-01 | Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server behind an HTTPS-termin… |
CVE-2021-3882 | Medium | 5.9 | 2021-10-14 | LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy… |
CVE-2020-27650 | Medium | 5.8 | 2020-10-29 | Synology DiskStation Manager (DSM) before 6.2.3-25426-2 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remo… |
CVE-2020-27651 | Medium | 5.8 | 2020-10-29 | Synology Router Manager (SRM) before 1.2.4-8081 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attac… |
CVE-2026-22617 | Medium | 5.7 | 2026-04-16 | Eaton Intelligent Power Protector (IPP) uses an insecure cookie configuration, which could allow a network‑based attacker to intercept the cookie and exploit i… |
CVE-2024-35211 | Medium | 5.5 | 2024-06-11 | A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions < V1.2). The affected web server, after a successful login, se… |