Sensitive Cookie with Improper SameSite Attribute
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-1275: Sensitive Cookie with Improper SameSite Attribute |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The code sets cookies in Pyramid responses without explicitly specifying the ‘samesite’ attribute. Without this, browsers may send cookies with cross-site requests, making them more vulnerable to theft or misuse.
Impact#
If exploited, attackers could perform Cross-Site Request Forgery (CSRF) or steal session cookies by tricking users into making requests from another site. This could lead to unauthorized access to user accounts or sensitive data.