CVE-2025-26844
CVE-2025-26844
In short
Znuny sets cookies without the HttpOnly flag, allowing JavaScript code on web pages to access sensitive session cookies. This enables attackers to steal user sessions through scripts, even if other protections are in place.
Technical detail
The HttpOnly flag is missing from cookie configuration in Znuny ≤7.1.3, permitting client-side script access to authentication tokens via JavaScript APIs. An attacker can exploit XSS vulnerabilities or malicious scripts to exfiltrate session cookies, leading to unauthorized account takeover without server-side interaction required.
Summary generated and translated by AI from the official description.
An issue was discovered in Znuny through 7.1.3. A cookie is set without the HttpOnly flag.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/aWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →