Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-614 (HTTPS会话中未设置’Secure’属性的敏感Cookie) — Vulnerability Class 47

47 vulnerabilities classified as CWE-614 (HTTPS会话中未设置’Secure’属性的敏感Cookie). AI Chinese analysis included.

CWE-614 represents a configuration weakness where sensitive cookies are transmitted over HTTPS sessions without the Secure attribute enabled. This oversight allows attackers to exploit the vulnerability through man-in-the-middle attacks, even on encrypted connections, by intercepting the cookie if the session inadvertently downgrades to HTTP or if the client fails to enforce HTTPS strictly. Without the Secure flag, browsers may transmit these credentials over unencrypted channels, exposing session identifiers, authentication tokens, or personal data to eavesdroppers. To mitigate this risk, developers must explicitly set the Secure attribute on all cookies containing sensitive information, ensuring they are only transmitted over encrypted HTTPS connections. Additionally, implementing strict transport security headers and validating server configurations can prevent accidental HTTP fallbacks, thereby maintaining the integrity and confidentiality of user sessions throughout the browsing experience.

MITRE CWE Description
The Secure attribute for sensitive cookies in HTTPS sessions is not set.
Common Consequences (1)
ConfidentialityRead Application Data
Omitting the secure flag makes it possible for the user agent to send the cookies in plaintext over an HTTP session.
Mitigations (1)
ImplementationAlways set the secure attribute when the cookie should be sent via HTTPS only.
Examples (1)
The snippet of code below, taken from a servlet doPost() method, sets an accountID cookie (sensitive) without calling setSecure(true).
Cookie c = new Cookie(ACCOUNT_ID, acctID); response.addCookie(c);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-22617 Eaton Intelligent Power Protector 安全漏洞 — IPP Software 5.7 Medium2026-04-16
CVE-2026-4820 IBM Maximo Application Suite was vulnerable to because Cookie ltpatoken2_<workspace_name> was not set with secure flag — Maximo Application Suite 4.3 Medium2026-04-01
CVE-2026-32745 JetBrains Datalore 安全漏洞 — Datalore 6.3 Medium2026-03-13
CVE-2026-1697 Use of unsecure cookies for GraphicalData web service and WebClient web app — PcVue 7.2AIHighAI2026-02-26
CVE-2024-58317 Kentico Xperience <= 13.0.164 Cookie Security Configuration — Xperience 5.3 Medium2025-12-18
CVE-2025-36249 IBM Jazz for Service Management is vulnerable to "filter" cookie not sent over SSL — Jazz for Service Management 3.7 Low2025-10-31
CVE-2025-52614 HCL Unica Platform is affected by a Cookie without HTTPOnly Flag Set vulnerability — Unica Platform 3.5 Low2025-10-12
CVE-2025-52632 HCL AION is susceptible to Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability — AION 6.5 Medium2025-10-10
CVE-2025-36011 IBM Jazz for Service Management information disclosure — Jazz for Service Management 4.3 Medium2025-09-09
CVE-2025-53757 Insecure Cookie Flags Vulnerability in Digisol DG-GR6821AC Router — XPON ONU Wi-Fi Router (DG-GR6821AC) 7.5AIHighAI2025-07-16
CVE-2025-27450 CVE-2025-27450 — Endress+Hauser MEAC300-FNADE4 6.5 Medium2025-07-03
CVE-2025-36026 IBM Datacap information disclosure — Datacap 4.3 Medium2025-06-28
CVE-2024-10718 Cookie without Secure attribute in phpipam/phpipam — phpipam/phpipam 5.3 -2025-03-20
CVE-2025-24390 Missing Cookie Flags — OTRS 6.8 Medium2025-01-27
CVE-2024-28770 IBM Security Directory Integrator information disclosure — Security Directory Integrator 4.8 Medium2025-01-27
CVE-2024-28771 IBM Security Directory Integrator information disclosure — Security Directory Integrator 4.8 Medium2025-01-27
CVE-2024-30142 HCL BigFix Compliance is affected by a missing secure flag on a cookie — BigFix Compliance 3.8 Low2024-11-07
CVE-2024-47833 Session Cookie without Secure and HTTPOnly flags in taipy — taipy 5.3AIMediumAI2024-10-09
CVE-2024-43180 IBM Concert information disclosure — Concert 4.3 Medium2024-09-13
CVE-2024-41684 Cookie Without Secure Flag Set Vulnerability — SyroTech SY-GPON-1110-WDONT router 5.3 -2024-07-26
CVE-2023-33860 IBM Security ReaQta information disclosure — Security QRadar EDR 5.3 Medium2024-07-10
CVE-2024-35211 Siemens SINEC Traffic Analyzer 安全漏洞 — SINEC Traffic Analyzer 5.5 Medium2024-06-11
CVE-2024-2493 Session Hijacking Vulnerability in Hitachi Ops Center Analyzer — Hitachi Ops Center Analyzer 7.5 High2024-04-23
CVE-2023-46179 IBM Secure Proxy information disclosure — Secure Proxy 4.3 Medium2024-03-15
CVE-2023-42016 IBM Sterling B2B Integrator information disclosure — Sterling B2B Integrator 4.3 Medium2024-02-09
CVE-2024-0349 SourceCodester Engineers Online Portal missing secure attribute — Engineers Online Portal 3.7 Low2024-01-09
CVE-2023-5035 Cookie Without Secure Flag — PT-G503 Series 3.1 Low2023-11-02
CVE-2023-5866 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in thorsten/phpmyfaq — thorsten/phpmyfaq 5.3 -2023-10-31
CVE-2023-4654 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in instantsoft/icms2 — instantsoft/icms2 5.3 -2023-08-31
CVE-2023-3520 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in it-novum/openitcockpit — it-novum/openitcockpit 5.3 -2023-07-06

Vulnerabilities classified as CWE-614 (HTTPS会话中未设置’Secure’属性的敏感Cookie) represent 47 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.