Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1275 — Vulnerability Class 8

8 vulnerabilities classified as CWE-1275. AI Chinese analysis included.

CWE-1275 represents a configuration weakness where sensitive cookies lack a proper SameSite attribute or utilize an insecure value like 'None'. This flaw typically enables Cross-Site Request Forgery (CSRF) attacks, as browsers automatically attach these cookies to cross-domain POST requests initiated by malicious third-party sites. Without strict SameSite restrictions, attackers can exploit authenticated sessions to perform unauthorized actions on behalf of victims. To mitigate this risk, developers must explicitly set the SameSite attribute to 'Strict' or 'Lax' for all sensitive cookies, ensuring they are only sent in first-party contexts. Additionally, implementing the 'Secure' flag guarantees transmission over HTTPS, while robust input validation and anti-CSRF tokens provide layered defense against session hijacking and unauthorized state changes.

MITRE CWE Description
The SameSite attribute for sensitive cookies is not set, or an insecure value is used. The SameSite attribute controls how cookies are sent for cross-domain requests. This attribute may have three values: 'Lax', 'Strict', or 'None'. If the 'None' value is used, a website may create a cross-domain POST HTTP request to another website, and the browser automatically adds cookies to this request. This may lead to Cross-Site-Request-Forgery (CSRF) attacks if there are no additional protections in place (such as Anti-CSRF tokens).
Common Consequences (1)
Confidentiality, Integrity, Non-Repudiation, Access ControlModify Application Data
If the website does not impose additional defense against CSRF attacks, failing to use the 'Lax' or 'Strict' values could increase the risk of exposure to CSRF attacks. The likelihood of the integrity breach is Low because a successful attack does not only depend on an insecure SameSite attribute. I…
Mitigations (1)
ImplementationSet the SameSite attribute of a sensitive cookie to 'Lax' or 'Strict'. This instructs the browser to apply this cookie only to same-domain requests, which provides a good Defense in Depth against CSRF attacks. When the 'Lax' value is in use, cookies are also sent for top-level cross-domain navigation via HTTP GET, HEAD, OPTIONS, and TRACE methods, but not for other HTTP methods that are more like …
Effectiveness: High
Examples (1)
In this example, a cookie is used to store a session ID for a client's interaction with a website. The snippet of code below establishes a new cookie to hold the sessionID.
let sessionId = generateSessionId() let cookieOptions = { domain: 'example.com' } response.cookie('sessionid', sessionId, cookieOptions)
Bad · JavaScript
<html> <form id=evil action="http://local:3002/setEmail" method="POST"> <input type="hidden" name="newEmail" value="abc@example.com" /> </form> <script>evil.submit()</script> </html>
Attack · HTML
CVE IDTitleCVSSSeverityPublished
CVE-2025-52628 HCL AION is susceptible to Missing SameSite vulnerability — AION 4.6 Medium2026-02-03
CVE-2023-53957 Kimai 1.30.10 SameSite Cookie Vulnerability Session Hijacking — Kimai 9.8 Critical2025-12-19
CVE-2025-36134 IBM Sterling B2B Integrator and IBM Sterling File Gateway information disclosure — Sterling B2B Integrator 3.7 Low2025-11-25
CVE-2024-42212 HCL BigFix Compliance is affected by an improper or missing SameSite attribute — HCL BigFix Compliance 5.4 Medium2025-05-05
CVE-2024-30155 HCL SX is susceptible to cookie with Insecure, Improper, or Missing SameSite attribute vulnerability — HCL SX 5.5 Medium2025-03-26
CVE-2025-24387 Missing CSRF protection — OTRS 4.8 Medium2025-03-10
CVE-2024-43173 IBM Concert information disclosure — Concert 3.7 Low2024-10-22
CVE-2022-38386 IBM Cloud Pak for Security information disclosure — Cloud Pak for Security 5.9 Medium2024-05-01

Vulnerabilities classified as CWE-1275 represent 8 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.