VariantDraft

CWE-315Cleartext Storage of Sensitive Information in a Cookie

Category: data-exposure

Description

The product stores sensitive information in cleartext in a cookie. Attackers can use widely-available tools to view the cookie and read the sensitive information. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.

Common consequences· 1

  • Confidentiality — Read Application Data

Related CAPEC attack patterns· 4

CAPEC-31CAPEC-37CAPEC-39CAPEC-74

References

  1. https://cwe.mitre.org/data/definitions/315.html

Exploits (incoming)4

TypeTargetConfidenceTier
AttackPatternManipulating Opaque Client-based Data Tokenscapec-39100%live
AttackPatternRetrieve Embedded Sensitive Datacapec-37100%live
AttackPatternAccessing/Intercepting/Modifying HTTP Cookiescapec-31100%live
AttackPatternManipulating Statecapec-74100%live

(incoming)1

TypeTargetConfidenceTier
VulnerabilityCVE-2026-25818cve-2026-258180%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Reliance on Cookies without Validation and Integrity Checking
CWE
Sensitive Cookie Without 'HttpOnly' Flag
CWE
Cleartext Storage of Sensitive Information
CWE
Cleartext Storage in a File or on Disk
CWE
Cleartext Storage of Sensitive Information in GUI
CWE
Reliance on Cookies without Validation and Integrity Checking in a Security Decision
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.