CWE-565 75 個 CVE MITRE 定義 ↗

CWE-565:Reliance on Cookies without Validation and Integrity Checking

概覽

CWE-565(Reliance on Cookies without Validation and Integrity Checking)描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。

安全影響
安全影響:因產品與情境而異;請結合 CVE 紀錄、嚴重度評分與 MITRE 說明進行優先級判斷。

描述

The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.

適用平台

類型 名稱 普遍性 OS / CPE
language Not Language-Specific Undetermined

本庫相關 CVE

下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。

CVE 公開時間 摘要
CVE-2026-53871 2026-06-17 Hermes WebUI before 0.51.368 contains an authorization bypass vulnerability in the get_profile_cookie() function that accepts unauthenticated profile names from the hermes_profile cookie. An authentic…
CVE-2026-8337 2026-05-21 Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be configured in such a way that both public and private surveys are present on the site. An unaut…
CVE-2026-0257 2026-05-13 Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized V…
CVE-2026-39963 2026-04-15 Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the serendipity_setCookie() function in include/functions_config.inc.php uses $_SERVER['HTTP_HOST'] without validation as …
CVE-2026-39324 2026-04-07 Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryp…
CVE-2026-5130 2026-03-30 The Debugger & Troubleshooter plugin for WordPress was vulnerable to Unauthenticated Privilege Escalation in versions up to and including 1.3.2. This was due to the plugin accepting the wp_debug_troub…
CVE-2014-125112 2026-03-25 Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows a…
CVE-2022-50926 2026-01-13 WAGO 750-8212 PFC200 G2 2ETH RS firmware contains a privilege escalation vulnerability that allows attackers to manipulate user session cookies. Attackers can modify the cookie's 'name' and 'roles' pa…
CVE-2025-65212 2026-01-06 An issue was discovered in NJHYST HY511 POE core before 2.1 and plugins before 0.1. The vulnerability stems from the device's insufficient cookie verification, allowing an attacker to directly request…
CVE-2025-14440 2025-12-13 The JAY Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.4.01. This is due to incorrect authentication checking in the 'jay_login_regist…
CVE-2021-47706 2025-12-09 COMMAX Biometric Access Control System 1.0.0 contains an authentication bypass vulnerability that allows unauthenticated attackers to access sensitive information and circumvent physical controls in s…
CVE-2025-64447 2025-12-09 A reliance on cookies without validation and integrity checking vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 thro…
CVE-2025-48980 2025-10-30 In Brave Browser Desktop versions prior to 1.83.10 that have the split view feature enabled, the "Open Link in Split View" context menu item did not respect the SameSite cookie attribute. Therefore Sa…
CVE-2025-59247 2025-10-09 Azure PlayFab Elevation of Privilege Vulnerability
CVE-2025-31120 2025-04-18 NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, an insecure view count mechanism in the forum page allows an unauthenticated attacker t…
CVE-2024-55211 2025-04-17 An issue in Think Router Tk-Rt-Wr135G V3.0.2-X000 allows attackers to bypass authentication via a crafted cookie.
CVE-2025-2395 2025-03-17 The U-Office Force from e-Excellence has an Improper Authentication vulnerability, allowing unauthenticated remote attackers to use a particular API and alter cookies to log in as an administrator.
CVE-2024-9970 2024-10-15 The FlowMaster BPM Plus system from NewType has a privilege escalation vulnerability. Remote attackers with regular privileges can elevate their privileges to administrator by tampering with a specifi…
CVE-2024-9820 2024-10-14 The WP 2FA with Telegram plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 3.0. This is due to the two-factor code being stored in a cookie, whic…
CVE-2024-21583 2024-07-19 Versions of the package github.com/gitpod-io/gitpod/components/server/go/pkg/lib before main-gha.27122; versions of the package github.com/gitpod-io/gitpod/components/ws-proxy/pkg/proxy before main-gh…

曾用名

  • Use of Cookies (2008-04-11)
  • Use of Cookies in Security Decision (2009-07-27)

內容提交

名稱
Anonymous Tool Vendor (under NDA)
日期
2006-07-19
版本
Draft 3

內容修訂

日期 名稱 版本 重要性 評論
2008-07-01 Sean Eidemiller 1.0 added/updated demonstrative examples
2008-07-01 Eric Dalci 1.0 updated Potential_Mitigations, Time_of_Introduction
2008-09-08 CWE Content Team 1.0 updated Relationships, Other_Notes, Taxonomy_Mappings
2009-01-12 CWE Content Team 1.2 updated Common_Consequences, Description, Other_Notes, Potential_Mitigations, Relationships
2009-07-16 CWE Content Team 1.5 Critical Clarified name and description; broadened the definition to include any security-critical operation, not just security decisions, to allow for relationships with injection weaknesses.
2009-07-27 CWE Content Team 1.5 updated Description, Name, Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings
2009-10-29 CWE Content Team 1.6 updated Relationships
2011-06-01 CWE Content Team 1.13 updated Common_Consequences
2012-05-11 CWE Content Team 2.2 updated Demonstrative_Examples, Relationships
2014-07-30 CWE Content Team 2.8 updated Relationships, Taxonomy_Mappings
2017-11-08 CWE Content Team 3.0 updated Modes_of_Introduction, Relationships
2019-06-20 CWE Content Team 3.3 updated Related_Attack_Patterns, Relationships
2020-02-24 CWE Content Team 4.0 updated Relationships
2021-10-28 CWE Content Team 4.6 updated Relationships
2023-01-31 CWE Content Team 4.10 updated Description
2023-04-27 CWE Content Team 4.11 updated Detection_Factors, Relationships
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes
2023-10-26 CWE Content Team 4.13 updated Observed_Examples
2025-04-03 CWE Content Team 4.17 updated Common_Consequences, Description, Diagram
2025-12-11 CWE Content Team 4.19 updated Applicable_Platforms, Relationships, Weakness_Ordinalities
cvelogic Threat Intelligence