Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2019-25091

Summary
Assigner-VulDB
Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5
Published At-27 Dec, 2022 | 22:42
Updated At-17 May, 2024 | 01:36
Rejected At-
Credits

nsupdate.info CSRF Cookie base.py cookie httponly flag

A vulnerability classified as problematic has been found in nsupdate.info. This affects an unknown part of the file src/nsupdate/settings/base.py of the component CSRF Cookie Handler. The manipulation of the argument CSRF_COOKIE_HTTPONLY leads to cookie without 'httponly' flag. It is possible to initiate the attack remotely. The name of the patch is 60a3fe559c453bc36b0ec3e5dd39c1303640a59a. It is recommended to apply a patch to fix this issue. The identifier VDB-216909 was assigned to this vulnerability.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulDB
Assigner Org ID:1af790b2-7ee1-4545-860a-a788eba489b5
Published At:27 Dec, 2022 | 22:42
Updated At:01 Jan, 1000 | 00:00
Rejected At:
▼CVE Numbering Authority (CNA)
nsupdate.info CSRF Cookie base.py cookie httponly flag

A vulnerability classified as problematic has been found in nsupdate.info. This affects an unknown part of the file src/nsupdate/settings/base.py of the component CSRF Cookie Handler. The manipulation of the argument CSRF_COOKIE_HTTPONLY leads to cookie without 'httponly' flag. It is possible to initiate the attack remotely. The name of the patch is 60a3fe559c453bc36b0ec3e5dd39c1303640a59a. It is recommended to apply a patch to fix this issue. The identifier VDB-216909 was assigned to this vulnerability.

Affected Products
Vendor
n/a
Product
nsupdate.info
Modules
  • CSRF Cookie Handler
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
CWECWE-1004CWE-1004 Cookie Without 'HttpOnly' Flag
Type: CWE
CWE ID: CWE-1004
Description: CWE-1004 Cookie Without 'HttpOnly' Flag
Metrics
VersionBase scoreBase severityVector
3.13.7LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
3.03.7LOW
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Version: 3.1
Base score: 3.7
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Version: 3.0
Base score: 3.7
Base severity: LOW
Vector:
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Advisory disclosed2022-12-27 00:00:00
VulDB entry created2022-12-27 01:00:00
VulDB last update2022-12-27 23:47:32
Event: Advisory disclosed
Date: 2022-12-27 00:00:00
Event: VulDB entry created
Date: 2022-12-27 01:00:00
Event: VulDB last update
Date: 2022-12-27 23:47:32
Replaced By
Rejected Reason
References
HyperlinkResource
https://vuldb.com/?id.216909
vdb-entry
technical-description
https://vuldb.com/?ctiid.216909
signature
permissions-required
https://github.com/nsupdate-info/nsupdate.info/pull/410
issue-tracking
patch
https://github.com/nsupdate-info/nsupdate.info/commit/60a3fe559c453bc36b0ec3e5dd39c1303640a59a
patch
Hyperlink: https://vuldb.com/?id.216909
Resource:
vdb-entry
technical-description
Hyperlink: https://vuldb.com/?ctiid.216909
Resource:
signature
permissions-required
Hyperlink: https://github.com/nsupdate-info/nsupdate.info/pull/410
Resource:
issue-tracking
patch
Hyperlink: https://github.com/nsupdate-info/nsupdate.info/commit/60a3fe559c453bc36b0ec3e5dd39c1303640a59a
Resource:
patch
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@vuldb.com
Published At:27 Dec, 2022 | 23:15
Updated At:17 May, 2024 | 01:36

A vulnerability classified as problematic has been found in nsupdate.info. This affects an unknown part of the file src/nsupdate/settings/base.py of the component CSRF Cookie Handler. The manipulation of the argument CSRF_COOKIE_HTTPONLY leads to cookie without 'httponly' flag. It is possible to initiate the attack remotely. The name of the patch is 60a3fe559c453bc36b0ec3e5dd39c1303640a59a. It is recommended to apply a patch to fix this issue. The identifier VDB-216909 was assigned to this vulnerability.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Secondary3.13.7LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Type: Primary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 3.7
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CPE Matches
nsupdate
nsupdate
>>nsupdate.info>>Versions before 2019-05-19(exclusive)
cpe:2.3:a:nsupdate:nsupdate.info:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-1004Primarycna@vuldb.com
CWE ID: CWE-1004
Type: Primary
Source: cna@vuldb.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/nsupdate-info/nsupdate.info/commit/60a3fe559c453bc36b0ec3e5dd39c1303640a59acna@vuldb.com
Patch
Third Party Advisory
https://github.com/nsupdate-info/nsupdate.info/pull/410cna@vuldb.com
Patch
Third Party Advisory
https://vuldb.com/?ctiid.216909cna@vuldb.com
Third Party Advisory
https://vuldb.com/?id.216909cna@vuldb.com
Third Party Advisory
Hyperlink: https://github.com/nsupdate-info/nsupdate.info/commit/60a3fe559c453bc36b0ec3e5dd39c1303640a59a
Source: cna@vuldb.com
Resource:
Patch
Third Party Advisory
Hyperlink: https://github.com/nsupdate-info/nsupdate.info/pull/410
Source: cna@vuldb.com
Resource:
Patch
Third Party Advisory
Hyperlink: https://vuldb.com/?ctiid.216909
Source: cna@vuldb.com
Resource:
Third Party Advisory
Hyperlink: https://vuldb.com/?id.216909
Source: cna@vuldb.com
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

8Records found
CVE-2025-12031
Matching Score-4
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
ShareView Details
Matching Score-4
Assigner-a0340c66-c385-4f8b-991b-3d05f6fd5220
CVSS Score-5.3||MEDIUM
EPSS-0.04% / 12.71%
||
7 Day CHG~0.00%
Published-21 Oct, 2025 | 17:22
Updated-07 Nov, 2025 | 20:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HTTP Security Misconfiguration - Lacking Secure and HTTPOnly Attribute

HTTP Security Misconfiguration - Lacking Secure and HTTPOnly Attribute may allow reading the sensitive cookies from the javascript contextThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

Action-Not Available
Vendor-azure-accessAzure Access Technology
Product-blu-ic2blu-ic4_firmwareblu-ic2_firmwareblu-ic4BLU-IC2BLU-IC4
CWE ID-CWE-1004
Sensitive Cookie Without 'HttpOnly' Flag
CVE-2026-11956
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-Not Assigned
Published-11 Jun, 2026 | 11:30
Updated-11 Jun, 2026 | 14:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TwiN gatus OIDC Session Cookie oidc.go setSessionCookie missing secure attribute

A vulnerability was determined in TwiN gatus 5.36.0. Impacted is the function setSessionCookie of the file security/oidc.go of the component OIDC Session Cookie Handler. Executing a manipulation can lead to sensitive cookie without secure attribute. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is considered difficult. The reported GitHub issue was closed with the label "not planned".

Action-Not Available
Vendor-TwiN
Product-gatus
CWE ID-CWE-1004
Sensitive Cookie Without 'HttpOnly' Flag
CWE ID-CWE-614
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CVE-2022-4630
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.3||MEDIUM
EPSS-0.19% / 41.32%
||
7 Day CHG~0.00%
Published-21 Dec, 2022 | 00:00
Updated-14 Apr, 2025 | 18:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sensitive Cookie Without 'HttpOnly' Flag in lirantal/daloradius

Sensitive Cookie Without 'HttpOnly' Flag in GitHub repository lirantal/daloradius prior to master.

Action-Not Available
Vendor-daloradiuslirantal
Product-daloradiuslirantal/daloradius
CWE ID-CWE-1004
Sensitive Cookie Without 'HttpOnly' Flag
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2022-43845
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-3.7||LOW
EPSS-0.09% / 24.83%
||
7 Day CHG~0.00%
Published-24 Sep, 2024 | 10:11
Updated-26 Sep, 2024 | 13:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Aspera Console information disclosure

IBM Aspera Console 3.4.0 through 3.4.4 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie.

Action-Not Available
Vendor-IBM Corporation
Product-Aspera Console
CWE ID-CWE-1004
Sensitive Cookie Without 'HttpOnly' Flag
CVE-2022-33167
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-3.7||LOW
EPSS-0.09% / 24.73%
||
7 Day CHG~0.00%
Published-30 Jul, 2024 | 17:05
Updated-13 Aug, 2024 | 14:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Security Directory Integrator information disclosure

IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 228587.

Action-Not Available
Vendor-IBM Corporation
Product-security_verify_directory_integratorsecurity_directory_integratorSecurity Directory IntegratorSecurity Verify Directory Integrator
CWE ID-CWE-1004
Sensitive Cookie Without 'HttpOnly' Flag
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2024-6739
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-5.3||MEDIUM
EPSS-0.12% / 30.41%
||
7 Day CHG~0.00%
Published-15 Jul, 2024 | 03:15
Updated-03 Oct, 2024 | 18:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Openfind MailGates and MailAudit - Sensitive Cookie Without 'HttpOnly' Flag

The session cookie in MailGates and MailAudit from Openfind does not have the HttpOnly flag enabled, allowing remote attackers to potentially steal the session cookie via XSS.

Action-Not Available
Vendor-openfindOpenfind
Product-mailgatesmailauditMailAuditMailGates
CWE ID-CWE-1004
Sensitive Cookie Without 'HttpOnly' Flag
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2025-49189
Matching Score-4
Assigner-SICK AG
ShareView Details
Matching Score-4
Assigner-SICK AG
CVSS Score-5.3||MEDIUM
EPSS-0.24% / 48.03%
||
7 Day CHG~0.00%
Published-12 Jun, 2025 | 14:03
Updated-06 Feb, 2026 | 14:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cookie missing HttpOnly flag

The HttpOnlyflag of the session cookie \"@@\" is set to false. Since this flag helps preventing access to cookies via client-side scripts, setting the flag to false can lead to a higher possibility of Cross-Side-Scripting attacks which target the stored cookies.

Action-Not Available
Vendor-SICK AG
Product-media_serverSICK Media Server
CWE ID-CWE-1004
Sensitive Cookie Without 'HttpOnly' Flag
CVE-2023-4217
Matching Score-4
Assigner-Moxa Inc.
ShareView Details
Matching Score-4
Assigner-Moxa Inc.
CVSS Score-3.1||LOW
EPSS-0.15% / 34.79%
||
7 Day CHG~0.00%
Published-02 Nov, 2023 | 16:04
Updated-05 Sep, 2024 | 14:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Session cookies attribute not set properly

A vulnerability has been identified in PT-G503 Series versions prior to v5.2, where the session cookies attribute is not set properly in the affected application. The vulnerability may lead to security risks, potentially exposing user session data to unauthorized access and manipulation.

Action-Not Available
Vendor-Moxa Inc.
Product-eds-g503eds-g503_firmwarePT-G503 Series
CWE ID-CWE-1004
Sensitive Cookie Without 'HttpOnly' Flag
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
Details not found