CWE-1004
Sensitive Cookie Without 'HttpOnly' Flag
Description
The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
Parent Weaknesses (ChildOf)
Common Consequences
Scope
Impact
Read Application Data
Scope
Impact
Gain Privileges or Assume Identity
Potential Mitigations
Leverage the HttpOnly flag when setting a sensitive cookie in a response.
CVE-2024-47833python library for ML and data science does not use the HTTPOnly security attribute for session cookies
CVE-2022-24045Web application for a room automation system has client-side Javascript that sets a sensitive cookie without the HTTPOnly security attribute, allowing the cookie to be accessed.
CVE-2014-3852CMS written in Python does not include the HTTPOnly flag in a Set-Cookie header, allowing remote attackers to obtain potentially sensitive information via script access to this cookie.
CVE-2015-4138Appliance for managing encrypted communications does not use HttpOnly flag.
Applicable Platforms
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now