MEDIUM 5.3
PYSEC-2026-885
nsupdate.info has Sensitive Cookie Without 'HttpOnly' Flag
Details
A vulnerability classified as problematic has been found in nsupdate.info. This affects an unknown part of the file `src/nsupdate/settings/base.py` of the component `CSRF Cookie Handler`. The manipulation of the argument `CSRF_COOKIE_HTTPONLY` leads to cookie without `httponly` flag. It is possible to initiate the attack remotely. The name of the patch is 60a3fe559c453bc36b0ec3e5dd39c1303640a59a. It is recommended to apply a patch to fix this issue. The identifier VDB-216909 was assigned to this vulnerability.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://nvd.nist.gov/vuln/detail/CVE-2019-25091 [ADVISORY]
- https://github.com/nsupdate-info/nsupdate.info/pull/410 [WEB]
- https://github.com/nsupdate-info/nsupdate.info/commit/60a3fe559c453bc36b0ec3e5dd39c1303640a59a [WEB]
- https://github.com/nsupdate-info/nsupdate.info [PACKAGE]
- https://vuldb.com/?ctiid.216909 [WEB]
- https://vuldb.com/?id.216909 [WEB]
- https://pypi.org/project/nsupdate [PACKAGE]
- https://github.com/advisories/GHSA-mwvp-qr62-cvjx [ADVISORY]