Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-565 (在信任Cookie未进行验证与完整性检查) — Vulnerability Class 20

20 vulnerabilities classified as CWE-565 (在信任Cookie未进行验证与完整性检查). AI Chinese analysis included.

CWE-565 represents a critical input validation weakness where applications trust cookie data without verifying its integrity or authenticity. Attackers typically exploit this by manipulating cookie values, such as altering session identifiers or privilege flags, to impersonate legitimate users or escalate permissions. Since cookies are client-side and easily modified, relying on them for security decisions allows adversaries to bypass authentication mechanisms or access unauthorized resources. To mitigate this risk, developers must implement server-side validation for all security-critical operations, ensuring that cookie data is cross-referenced with secure server sessions. Additionally, using cryptographic signing or digital signatures for cookie contents helps detect tampering, while enforcing strict access controls ensures that sensitive actions are never solely dependent on unverified client-side information.

MITRE CWE Description
The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.
Common Consequences (2)
Confidentiality, Integrity, AvailabilityModify Application Data, Execute Unauthorized Code or Commands
Attackers can easily modify cookies, within the browser or by implementing the client-side code outside of the browser. Reliance on cookies without detailed validation and integrity checking can allow attackers to bypass authentication, conduct injection attacks such as SQL injection and cross-site …
Access ControlGain Privileges or Assume Identity
It is dangerous to use cookies to set a user's privileges. The cookie can be manipulated to escalate an attacker's privileges to an administrative level.
Mitigations (4)
Architecture and DesignAvoid using cookie data for a security-related decision.
ImplementationPerform thorough input validation (i.e.: server side validation) on the cookie data if you're going to use it for a security related decision.
Architecture and DesignAdd integrity checks to detect tampering.
Architecture and DesignProtect critical cookies from replay attacks, since cross-site scripting or other attacks may allow attackers to steal a strongly-encrypted cookie that also passes integrity checks. This mitigation applies to cookies that should only be valid during a single transaction or session. By enforcing timeouts, you may limit the scope of an attack. As part of your integrity check, use an unpredictable, s…
Examples (1)
The following code excerpt reads a value from a browser cookie to determine the role of the user.
Cookie[] cookies = request.getCookies(); for (int i =0; i< cookies.length; i++) { Cookie c = cookies[i]; if (c.getName().equals("role")) { userRole = c.getValue(); } }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-39963 Serendipity: Host Header Injection enables authentication cookie scoping to an attacker-controlled domain — Serendipity 6.9 Medium2026-04-14
CVE-2026-5130 Debugger & Troubleshooter <= 1.3.2 - Unauthenticated Privilege Escalation to Administrator via Cookie Manipulation — Debugger & Troubleshooter 8.8 High2026-03-30
CVE-2014-125112 Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution — Plack::Middleware::Session::Cookie 9.8AICriticalAI2026-03-26
CVE-2022-50926 WAGO 750-8212 PFC200 G2 2ETH RS Privilege Escalation — WAGO 750-8212 PFC200 9.8 Critical2026-01-13
CVE-2025-14440 JAY Login & Register <= 2.4.01 - Authentication Bypass via Cookie — JAY Login & Register 9.8 Critical2025-12-13
CVE-2021-47706 COMMAX Biometric Access Control System Authentication Bypass — COMMAX Biometric Access Control System 7.5AIHighAI2025-12-09
CVE-2025-64447 Fortinet FortiWeb 安全漏洞 — FortiWeb 7.1 High2025-12-09
CVE-2025-31120 NamelessMC Vulnerable to Cookie-Based View Count Manipulation — Nameless 5.3 Medium2025-04-18
CVE-2025-2395 e-Excellence U-Office Force - Improper Authentication — U-Office Force 9.8 Critical2025-03-17
CVE-2024-9970 NewType FlowMaster BPM Plus - Privilege Escalation — FlowMaster BPM Plus 8.8 High2024-10-15
CVE-2024-0947 Cookies Manipulation in Talya Informatics' Elektraweb — Elektraweb 9.8 Critical2024-06-27
CVE-2024-21872 Electrolink FM/DAB/TV Transmitter Reliance on Cookies without Validation and Integrity Checking — Compact DAB Transmitter 7.5 High2024-04-18
CVE-2024-22186 Electrolink FM/DAB/TV Transmitter Reliance on Cookies without Validation and Integrity Checking — Compact DAB Transmitter 8.8 High2024-04-18
CVE-2023-32725 Leak of zbx_session cookie when using a scheduled report that includes a dashboard with a URL widget. — Zabbix 9.6 Critical2023-12-18
CVE-2023-41084 Socomec MOD3GP-SY-120K Reliance on Cookies without Validation and Integrity Checking — MODULYS GP (MOD3GP-SY-120K) 10.0 Critical2023-09-18
CVE-2021-3818 Reliance on Cookies without Validation and Integrity Checking in getgrav/grav — getgrav/grav--2021-09-27
CVE-2021-33842 Circutor SGE-PLC1000 improper authentication — SGE-PLC1000 8.8 High2021-06-09
CVE-2021-29624 Lack of protection against cookie tossing attacks in fastify-csrf — fastify-csrf 6.5 Medium2021-05-19
CVE-2020-15128 Reliance on Cookies without validation in OctoberCMS — october 6.1 Medium2020-07-31
CVE-2018-5455 Moxa OnCell G3100-HSPA Series 安全漏洞 — Moxa OnCell G3100-HSPA Series 9.8 -2018-03-05

Vulnerabilities classified as CWE-565 (在信任Cookie未进行验证与完整性检查) represent 20 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.