6 vulnerabilities classified as CWE-315 (在Cookie中的明文存储). AI Chinese analysis included.
CWE-315 represents a critical data exposure weakness where applications store sensitive information in cleartext within HTTP cookies. This vulnerability allows attackers to easily intercept and read confidential data, such as session tokens or personal identifiers, using widely available browser developer tools or network sniffers. Even if the data appears encoded, attackers can often identify the encoding scheme and decode it to reveal the original content. To mitigate this risk, developers must avoid storing any sensitive data in cookies altogether. If session management is required, they should use secure, HttpOnly, and SameSite cookie attributes to restrict access and transmission. Additionally, implementing robust server-side session management ensures that sensitive state information remains on the server, significantly reducing the attack surface for client-side data theft.
response.addCookie( new Cookie("userAccountID", acctID) );| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2025-8528 | Exrick xboot getMenuList sensitive information in a cookie — xboot | 3.7 | Low | 2025-08-04 |
| CVE-2025-4537 | yangzongzhuan RuoYi-Vue Password login.vue sensitive information in a cookie — RuoYi-Vue | 3.1 | Low | 2025-05-11 |
| CVE-2024-8644 | Cleartext Storage of Sensitive Information in Oceanic Software's ValeApp — ValeApp | 5.3AI | MediumAI | 2024-09-27 |
| CVE-2024-24768 | 1Panel set-cookie is missing the Secure keyword — 1Panel | 6.5 | Medium | 2024-02-05 |
| CVE-2021-34564 | In WirelessHART-Gateway versions 3.0.9 a vulnerability allows to read and write sensitive data in a cookie — WHA-GW-F2D2-0-AS- Z2-ETH | 5.5 | Medium | 2021-08-31 |
| CVE-2018-19941 | Cleartext Storage of Sensitive Information in Cookies — QTS | 7.5 | - | 2020-12-31 |
Vulnerabilities classified as CWE-315 (在Cookie中的明文存储) represent 6 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.