SYM_PY_0238 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Sensitive Cookie with Improper SameSite Attribute
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-1275: Sensitive Cookie with Improper SameSite Attribute |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description
The code sets cookies in a Pyramid application without properly setting the 'samesite' attribute to 'Lax'. This omission makes cookies more vulnerable to being sent with cross-site requests, increasing the risk of unauthorized access.
Impact
If exploited, an attacker could trick a user's browser into sending your site's cookies along with cross-site requests, potentially leading to session hijacking or unauthorized actions on behalf of the user. This weakens the application's defenses against cross-site request forgery (CSRF) and may expose sensitive user data.