A cookie was set without the Secure (or HttpOnly) attribute, exposing it to cleartext transmission or script access.
How it's exploited
A session cookie was set without Secure and/or HttpOnly. Without Secure it can travel over plaintext; without HttpOnly any script in that web context (XSS, injected page) reads it.
Why it matters
Session hijacking via network capture or script access to the cookie.
How to fix it
Set Secure; HttpOnly; SameSite on session cookies at the server.
This is a backend fix; redeploy and re-run the scan to confirm it clears.