Total
6 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-27453 | 2025-07-03 | N/A | 5.3 MEDIUM | ||
| The HttpOnly flag is set to false on the PHPSESSION cookie. Therefore, the cookie can be accessed by other sources such as JavaScript. | |||||
| CVE-2025-49189 | 2025-06-12 | N/A | 5.3 MEDIUM | ||
| The HttpOnlyflag of the session cookie \"@@\" is set to false. Since this flag helps preventing access to cookies via client-side scripts, setting the flag to false can lead to a higher possibility of Cross-Side-Scripting attacks which target the stored cookies. | |||||
| CVE-2025-47289 | 2025-06-02 | N/A | 6.3 MEDIUM | ||
| CE Phoenix is a free, open-source eCommerce platform. A stored cross-site scripting (XSS) vulnerability was discovered in CE Phoenix versions 1.0.9.9 through 1.1.0.2 where an attacker can inject malicious JavaScript into the testimonial description field. Once submitted, if the shop owner (admin) approves the testimonial, the script executes in the context of any user visiting the testimonial page. Because the session cookies are not marked with the `HttpOnly` flag, they can be exfiltrated by the attacker — potentially leading to account takeover. Version 1.1.0.3 fixes the issue. | |||||
| CVE-2025-24318 | 2025-02-28 | N/A | 6.8 MEDIUM | ||
| Cookie policy is observable via built-in browser tools. In the presence of XSS, this could lead to full session compromise. | |||||
| CVE-2024-6739 | 1 Openfind | 2 Mailaudit, Mailgates | 2024-11-21 | N/A | 5.3 MEDIUM |
| The session cookie in MailGates and MailAudit from Openfind does not have the HttpOnly flag enabled, allowing remote attackers to potentially steal the session cookie via XSS. | |||||
| CVE-2024-47833 | 1 Avaiga | 1 Taipy | 2024-10-16 | N/A | 6.5 MEDIUM |
| Taipy is an open-source Python library for easy, end-to-end application development for data scientists and machine learning engineers. In affected versions session cookies are served without Secure and HTTPOnly flags. This issue has been addressed in release version 4.0.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||