CVE-2026-35140
Received Received - Intake

Missing Secure Attribute in Encrypted Session Cookie in HCL DFXAnalytics

Vulnerability report for CVE-2026-35140, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: HCL Software

Description

HCL DFXAnalytics is affected by a Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability. The application fails to set the "secure" attribute on session cookies generated during authentication, which could allow a remote attacker to intercept network traffic and capture sensitive cookies, session tokens, or credentials sent in cleartext over unencrypted channels.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
hcl dfxanalytics *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

HCL DFXAnalytics has a Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability. The application does not set the 'secure' attribute on session cookies during authentication. This allows attackers to intercept network traffic and capture sensitive cookies, session tokens, or credentials sent over unencrypted channels.

Detection Guidance

To detect this vulnerability, inspect HTTP responses for session cookies and verify if the 'Secure' attribute is missing. Use browser developer tools or commands like 'curl -I <target_URL>' to check response headers for 'Set-Cookie' fields without 'Secure'. Network monitoring tools like Wireshark can capture unencrypted traffic containing session cookies.

Impact Analysis

An attacker could capture sensitive session cookies or credentials if they intercept network traffic. This may lead to unauthorized access to user accounts or sensitive data, depending on the application's functionality and user permissions.

Compliance Impact

This vulnerability could violate compliance requirements for data protection and secure transmission, such as GDPR's encryption mandates or HIPAA's safeguards for protected health information. Failure to secure session cookies may result in non-compliance and potential legal consequences.

Mitigation Strategies

Apply the latest security patch from HCL DFXAnalytics as per their security bulletin. Configure the application server to enforce the 'Secure' attribute on all session cookies. Ensure all communications occur over HTTPS to prevent interception of sensitive data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35140. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart