Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-539 (通过持久性Cookie导致的信息暴露) — Vulnerability Class 6

6 vulnerabilities classified as CWE-539 (通过持久性Cookie导致的信息暴露). AI Chinese analysis included.

CWE-539 represents a data exposure weakness where web applications store sensitive information within persistent cookies. These cookies, which remain on the user’s device after the browser closes, are typically exploited by attackers who gain access to the local file system or intercept unencrypted network traffic. By reading these stored values, adversaries can steal session identifiers, authentication tokens, or personally identifiable information, leading to account takeover or privacy breaches. To mitigate this risk, developers must strictly avoid placing any confidential data in cookies. Instead, they should utilize server-side sessions for state management and ensure that any necessary client-side storage contains only non-sensitive, public identifiers. Additionally, implementing secure cookie flags, such as HttpOnly and Secure, further reduces the attack surface by preventing client-side script access and enforcing transmission over encrypted channels.

MITRE CWE Description
The web application uses persistent cookies, but the cookies contain sensitive information. Cookies are small bits of data that are sent by the web application but stored locally in the browser. This lets the application use the cookie to pass information between pages and store variable information. The web application controls what information is stored in a cookie and how it is used. Typical types of information stored in cookies are session identifiers, personalization and customization information, and in rare cases even usernames to enable automated logins. There are two different types of cookies: session cookies and persistent cookies. Session cookies just live in the browser's memory and are not stored anywhere, but persistent cookies are stored on the browser's hard drive. This can cause security and privacy issues depending on the information stored in the cookie and how it is accessed.
Common Consequences (1)
ConfidentialityRead Application Data
Mitigations (1)
Architecture and DesignDo not store sensitive information in persistent cookies.
CVE IDTitleCVSSSeverityPublished
CVE-2026-35192 Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST — Django 7.6 -2026-05-05
CVE-2026-24318 Insecure Session Management vulnerability in SAP BusinessObjects Business Intelligence Platform — SAP BusinessObjects Business Intelligence Platform 4.2 Medium2026-04-14
CVE-2025-52633 HCL AION is susceptible to Missing Content-Security-Policy — AION 3.1 Low2026-02-03
CVE-2024-39275 Advantech ADAM-5630 Use of Persistent Cookies Containing Sensitive Information — ADAM-5630 8.0 High2024-09-27
CVE-2023-30861 Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header — flask 7.5 High2023-05-02
CVE-2021-27463 Emerson Rosemount X-STREAM Gas Analyzer 安全漏洞 — Emerson Rosemount X-STREAM Gas Analyzer 5.3 -2021-05-20

Vulnerabilities classified as CWE-539 (通过持久性Cookie导致的信息暴露) represent 6 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.