CVE-2021-39210

MEDIUM Year: 2021
CVSS v3 Score
6.5
Medium
CVSS v2 Score
3.5
Low
Weakness Type
CWE-1004
View all →

Vulnerability Description

GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, the cookie used to store the autologin cookie (when a user uses the "remember me" feature) is accessible by scripts. A malicious plugin that could steal this cookie would be able to use it to autologin. This issue is fixed in version 9.5.6. As a workaround, one may avoid using the "remember me" feature.

Related Vulnerabilities

CVE-2019-8283

MEDIUM
CVSS:6.5(Medium)

Hasplm cookie in Gemalto Admin Control Center, all versions prior to 7.92, does not have 'HttpOnly' flag. This allows malicious javascript to steal it.

CWE-10042019

CVE-2020-6267

MEDIUM
CVSS:6.3(Medium)

Some sensitive cookies in SAP Disclosure Management, version 10.1, are missing HttpOnly flag, leading to sensitive cookie without Http Only flag.

CWE-10042020

CVE-2025-24318

MEDIUM
CVSS:6.8(Medium)

Cookie policy is observable via built-in browser tools. In the presence of XSS, this could lead to full session compromise.

CWE-10042025

CVE-2020-27658

MEDIUM
CVSS:6.1(Medium)

Synology Router Manager (SRM) before 1.2.4-8081 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensi...

CWE-10042020

CVE-2022-21939

MEDIUM
CVSS:6.1(Medium)

Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.

CWE-10042022

CVE-2023-2876

MEDIUM
CVSS:6.1(Medium)

Sensitive Cookie Without 'HttpOnly' Flag vulnerability in ABB REX640 PCL1 (firmware modules), ABB REX640 PCL2 (Firmware modules), ABB REX640 PCL3 (firmware modules) allows Cross-Site Scripting (XSS).T...

CWE-10042023