CVEbaza.plCWE DictionaryCWE-565
Common Weakness Enumeration

CWE-565

Reliance on Cookies without Validation and Integrity Checking

Category: BaseCVE: 81
Description

The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.

CVE vulnerabilities with CWE-565 (81)
10.0
CVSS
CRITICAL
CVE-2023-45128

Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow an attacker to inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. This issue has been addressed in version 2.50.0 and users are advised to upgrade. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes as defense in depth measures. There are no known workarounds for this vulnerability.

pub. 2023-10-16
10.0
CVSS
CRITICAL
CVE-2023-41084

Session management within the web application is incorrect and allows attackers to steal session cookies to perform a multitude of actions that the web app allows on the device.

pub. 2023-09-18
9.8
CVSS
CRITICAL
CVE-2014-125112

Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.

pub. 2026-03-26
9.8
CVSS
CRITICAL
CVE-2025-65212

An issue was discovered in NJHYST HY511 POE core before 2.1 and plugins before 0.1. The vulnerability stems from the device's insufficient cookie verification, allowing an attacker to directly request the configuration file address and download the core configuration file without logging into the device management backend. By reading the corresponding username and self-decrypted MD5 password in the core configuration file, the attacker can directly log in to the backend, thereby bypassing the front-end backend login page.

pub. 2026-01-06
9.8
CVSS
CRITICAL
CVE-2025-14440

The JAY Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.4.01. This is due to incorrect authentication checking in the 'jay_login_register_process_switch_back' function with the 'jay_login_register_process_switch_back' cookie value. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.

pub. 2025-12-13
9.8
CVSS
CRITICAL
CVE-2025-2395

The U-Office Force from e-Excellence has an Improper Authentication vulnerability, allowing unauthenticated remote attackers to use a particular API and alter cookies to log in as an administrator.

pub. 2025-03-17
9.8
CVSS
CRITICAL
CVE-2024-0947

Reliance on Cookies without Validation and Integrity Checking vulnerability in Talya Informatics Elektraweb allows Session Credential Falsification through Manipulation, Accessing/Intercepting/Modifying HTTP Cookies, Manipulating Opaque Client-based Data Tokens. This issue affects Elektraweb: before v17.0.68.

pub. 2024-06-27
9.8
CVSS
CRITICAL
CVE-2024-28288

Ruijie RG-NBR700GW 10.3(4b12) router lacks cookie verification when resetting the password, resulting in an administrator password reset vulnerability. An attacker can use this vulnerability to log in to the device and disrupt the business of the enterprise.

pub. 2024-03-30
9.8
CVSS
CRITICAL
CVE-2023-35885

CloudPanel 2 before 2.3.1 has insecure file-manager cookie authentication.

pub. 2023-06-20
9.8
CVSS
CRITICAL
CVE-2023-3050

Reliance on Cookies without Validation and Integrity Checking in a Security Decision vulnerability in TMT Lockcell allows Privilege Abuse, Authentication Bypass.This issue affects Lockcell: before 15.

pub. 2023-06-13
9.8
CVSS
CRITICAL
CVE-2022-38297

UCMS v1.6.0 contains an authentication bypass vulnerability which is exploited via cookie poisoning.

pub. 2022-09-12
9.8
CVSS
CRITICAL
CVE-2021-28171

The Vangene deltaFlow E-platform does not take properly protective measures. Attackers can obtain privileged permissions remotely by tampering with users’ data in the Cookie.

pub. 2021-04-06
9.8
CVSS
CRITICAL
CVE-2019-7266

Linear eMerge 50P/5000P devices allow Authentication Bypass.

pub. 2019-07-02
9.8
CVSS
CRITICAL
CVE-2018-20512

EPON CPE-WiFi devices 2.0.4-X000 are vulnerable to escalation of privileges by sending cooLogin=1, cooUser=admin, and timestamp=-1 cookies.

pub. 2019-01-03
9.8
CVSS
CRITICAL
CVE-2018-5190

PicturesPro Photo Cart 6 and 7 before Security-Patch-2018-B allows remote attackers to access arbitrary customer accounts via a modified cookie, related to pc_head.php, pc_login.php, and pc_login_page.php.

pub. 2018-04-17
9.8
CVSS
CRITICAL
CVE-2018-5455

A Reliance on Cookies without Validation and Integrity Checking issue was discovered in Moxa OnCell G3100-HSPA Series version 1.4 Build 16062919 and prior. The application allows a cookie parameter to consist of only digits, allowing an attacker to perform a brute force attack bypassing authentication and gaining access to device functions.

pub. 2018-03-05
9.8
CVSS
CRITICAL
CVE-2017-7279

An unprivileged user of the Unitrends Enterprise Backup before 9.0.0 web server can escalate to root privileges by modifying the "token" cookie issued at login.

pub. 2017-04-12
9.8
CVSS
CRITICAL
CVE-2008-5784

V3 Chat - Profiles/Dating Script 3.0.2 allows remote attackers to bypass authentication and gain administrative access by setting the admin cookie to 1.

pub. 2008-12-31
9.6
CVSS
CRITICAL
CVE-2023-32725

The website configured in the URL widget will receive a session cookie when testing or executing scheduled reports. The received session cookie can then be used to access the frontend as the particular user.

pub. 2023-12-18
9.3
CVSS
CRITICAL
CVE-2026-39324

Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie. This allows an unauthenticated attacker to supply a crafted session cookie that is accepted as valid session data without knowledge of any configured secret. Because this mechanism is used to load session state, an attacker can manipulate session contents and potentially gain unauthorized access. This vulnerability is fixed in 2.1.2.

pub. 2026-04-07
Showing 20 of 81 vulnerabilities
Information
ID: CWE-565
Type: Base
Vulnerabilities: 81
MITRE CWE ↗
← CWE Dictionary