Total
288 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-5384 | 1 Axiomsl | 1 Axiom | 2019-04-08 | 6.8 MEDIUM | 8.8 HIGH |
| AxiomSL's Axiom Google Web Toolkit module 9.5.3 and earlier is vulnerable to a Session Fixation attack. | |||||
| CVE-2019-5523 | 1 Vmware | 1 Vcloud Director | 2019-04-04 | 7.5 HIGH | 9.8 CRITICAL |
| VMware vCloud Director for Service Providers 9.5.x prior to 9.5.0.3 update resolves a Remote Session Hijack vulnerability in the Tenant and Provider Portals. Successful exploitation of this issue may allow a malicious actor to access the Tenant or Provider Portals by impersonating a currently logged in session. | |||||
| CVE-2017-18105 | 1 Atlassian | 1 Crowd | 2019-04-01 | 6.8 MEDIUM | 8.1 HIGH |
| The console login resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers, who have previously obtained a user's JSESSIONID cookie, to gain access to some of the built-in and potentially third party rest resources via a session fixation vulnerability. | |||||
| CVE-2015-4594 | 1 Eclinicalworks | 1 Population Health | 2019-03-13 | 7.5 HIGH | 9.8 CRITICAL |
| eClinicalWorks Population Health (CCMR) suffers from a session fixation vulnerability. When authenticating a user, the application does not assign a new session ID, making it possible to use an existent session ID. | |||||
| CVE-2018-20238 | 1 Atlassian | 1 Crowd | 2019-02-26 | 5.5 MEDIUM | 8.1 HIGH |
| Various rest resources in Atlassian Crowd before version 3.2.7 and from version 3.3.0 before version 3.3.4 allow remote attackers to authenticate using an expired user session via an insufficient session expiration vulnerability. | |||||
| CVE-2019-7747 | 1 Dbninja | 1 Dbninja | 2019-02-13 | 6.8 MEDIUM | 9.6 CRITICAL |
| DbNinja 3.2.7 allows session fixation via the data.php sessid parameter. | |||||
| CVE-2019-7350 | 1 Zoneminder | 1 Zoneminder | 2019-02-05 | 4.9 MEDIUM | 7.3 HIGH |
| Session fixation exists in ZoneMinder through 1.32.3, as an attacker can fixate his own session cookies to the next logged-in user, thereby hijacking the victim's account. This occurs because a set of multiple cookies (between 3 and 5) is being generated when a user successfully logs in, and these sets overlap for successive logins. | |||||
| CVE-2018-18925 | 1 Gogs | 1 Gogs | 2019-01-29 | 7.5 HIGH | 9.8 CRITICAL |
| Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron. | |||||
| CVE-2018-18926 | 1 Gitea | 1 Gitea | 2019-01-29 | 7.5 HIGH | 9.8 CRITICAL |
| Gitea before 1.5.4 allows remote code execution because it does not properly validate session IDs. This is related to session ID handling in the go-macaron/session code for Macaron. | |||||
| CVE-2018-18380 | 1 Bigtreecms | 1 Bigtree Cms | 2019-01-25 | 5.8 MEDIUM | 5.4 MEDIUM |
| A Session Fixation issue was discovered in Bigtree before 4.2.24. admin.php accepts a user-provided PHP session ID instead of regenerating a new one after a user has logged in to the application. The Session Fixation could allow an attacker to hijack an admin session. | |||||
| CVE-2018-9082 | 1 Lenovo | 40 Ez Media \& Backup Center, Ez Media \& Backup Center Firmware, Ix2 and 37 more | 2019-01-07 | 4.0 MEDIUM | 8.8 HIGH |
| For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the password changing functionality available to authenticated users does not require the user's current password to set a new one. As a result, attackers with access to the user's session tokens can change their password and retain access to the user's account | |||||
| CVE-2018-13337 | 1 Terra-master | 1 Terramaster Operating System | 2018-12-21 | 5.8 MEDIUM | 5.4 MEDIUM |
| Session Fixation in the web application for TerraMaster TOS version 3.1.03 allows attackers to control users' session cookies via JavaScript. | |||||
| CVE-2018-19443 | 1 Tryton | 1 Tryton | 2018-12-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| The client in Tryton 5.x before 5.0.1 tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py. This connection attempt fails, but it contains in the header the current session of the user. This session could then be stolen by a man-in-the-middle. | |||||
| CVE-2018-14387 | 1 Wondercms | 1 Wondercms | 2018-09-19 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in WonderCMS before 2.5.2. An attacker can create a new session on a web application and record the associated session identifier. The attacker then causes the victim to authenticate against the server using the same session identifier. The attacker can access the user's account through the active session. The Session Fixation attack fixes a session on the victim's browser, so the attack starts before the user logs in. | |||||
| CVE-2018-1000519 | 1 Aio-libs Project | 1 Aiohttp | 2018-08-30 | 4.3 MEDIUM | 6.5 MEDIUM |
| aio-libs aiohttp-session contains a Session Fixation vulnerability in load_session function for RedisStorage (see: https://github.com/aio-libs/aiohttp-session/blob/master/aiohttp_session/redis_storage.py#L42) that can result in Session Hijacking. This attack appear to be exploitable via Any method that allows setting session cookies (?session=<>, or meta tags or script tags with Set-Cookie). | |||||
| CVE-2018-1000602 | 1 Jenkins | 1 Saml | 2018-08-17 | 4.3 MEDIUM | 5.9 MEDIUM |
| A session fixation vulnerability exists in Jenkins SAML Plugin 1.0.6 and earlier in SamlSecurityRealm.java that allows unauthorized attackers to impersonate another users if they can control the pre-authentication session. | |||||
| CVE-2018-12071 | 1 Codeigniter | 1 Codeigniter | 2018-08-10 | 7.5 HIGH | 9.8 CRITICAL |
| A Session Fixation issue exists in CodeIgniter before 3.1.9 because session.use_strict_mode in the Session Library was mishandled. | |||||
| CVE-2018-11714 | 1 Tp-link | 4 Tl-wr840n, Tl-wr840n Firmware, Tl-wr841n and 1 more | 2018-07-31 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on TP-Link TL-WR840N v5 00000005 0.9.1 3.16 v0001.0 Build 170608 Rel.58696n and TL-WR841N v13 00000013 0.9.1 4.16 v0001.0 Build 170622 Rel.64334n devices. This issue is caused by improper session handling on the /cgi/ folder or a /cgi file. If an attacker sends a header of "Referer: http://192.168.0.1/mainFrame.htm" then no authentication is required for any action. | |||||
| CVE-2017-12868 | 2 Php, Simplesamlphp | 2 Php, Simplesamlphp | 2018-07-01 | 7.5 HIGH | 9.8 CRITICAL |
| The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation. | |||||
| CVE-2018-11474 | 1 Monstra | 1 Monstra | 2018-06-28 | 6.0 MEDIUM | 8.0 HIGH |
| Monstra CMS 3.0.4 has a Session Management Issue in the Administrations Tab. A password change at admin/index.php?id=users&action=edit&user_id=1 does not invalidate a session that is open in a different browser. | |||||