Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-384
Total 238 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-27490 1 Nextauth.js 1 Next-auth 2023-03-16 N/A 8.8 HIGH
NextAuth.js is an open source authentication solution for Next.js applications. `next-auth` applications using OAuth provider versions before `v4.20.1` have been found to be subject to an authentication vulnerability. A bad actor who can read traffic on the victim's network or who is able to social engineer the victim to click a manipulated login link could intercept and tamper with the authorization URL to **log in as the victim**, bypassing the CSRF protection. This is due to a partial failure during a compromised OAuth session where a session code is erroneously generated. This issue has been addressed in version 4.20.1. Users are advised to upgrade. Users unable to upgrade may using Advanced Initialization, manually check the callback request for state, pkce, and nonce against the provider configuration to prevent this issue. See the linked GHSA for details.
CVE-2019-10371 1 Jenkins 1 Gitlab Oauth 2023-03-03 5.0 MEDIUM 7.5 HIGH
A session fixation vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in allows unauthorized attackers to impersonate another user if they can control the pre-authentication session.
CVE-2021-42761 1 Fortinet 1 Fortiweb 2023-02-24 N/A 9.8 CRITICAL
A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6.4 all versions, 6.3.0 through 6.3.16, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 through 6.0.7, 5.9.0 through 5.9.1 may allow a remote, unauthenticated attacker to infer the session identifier of other users and possibly usurp their session.
CVE-2022-24895 1 Sensiolabs 1 Symfony 2023-02-15 N/A 8.8 HIGH
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. This issue has been fixed in the 4.4 branch.
CVE-2016-8638 1 Ipsilon Project 1 Ipsilon 2023-02-12 6.4 MEDIUM 9.1 CRITICAL
A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users. This issue is related to how it tracks sessions, and allows an unauthenticated attacker to view and terminate active sessions from other users. It is also called a "SAML2 multi-session vulnerability."
CVE-2016-0721 3 Clusterlabs, Fedoraproject, Redhat 3 Pcs, Fedora, Enterprise Linux 2023-02-12 4.3 MEDIUM 8.1 HIGH
Session fixation vulnerability in pcsd in pcs before 0.9.157.
CVE-2021-29368 1 Cuppacms 1 Cuppacms 2023-02-06 N/A 8.8 HIGH
Session fixation vulnerability in CuppaCMS thru commit 4c9b742b23b924cf4c1f943f48b278e06a17e297 on November 12, 2019 allows attackers to gain access to arbitrary user sessions.
CVE-2023-24427 1 Jenkins 1 Bitbucket Oauth 2023-02-03 N/A 9.8 CRITICAL
Jenkins Bitbucket OAuth Plugin 0.12 and earlier does not invalidate the previous session on login.
CVE-2019-4152 1 Ibm 1 Security Access Manager 2023-02-03 3.6 LOW 4.4 MEDIUM
IBM Security Access Manager 9.0.1 through 9.0.6 does not invalidate session tokens in a timely manner. The lack of proper session expiration may allow attackers with local access to login into a closed browser session. IBM X-Force ID: 158515.
CVE-2021-46279 1 Lannerinc 2 Iac-ast2500a, Iac-ast2500a Firmware 2023-02-03 N/A 8.8 HIGH
Session fixation and insufficient session expiration vulnerabilities allow an attacker to perfom session hijacking attacks against users. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0.
CVE-2023-24424 1 Jenkins 1 Openid Connect Authentication 2023-02-03 N/A 8.8 HIGH
Jenkins OpenId Connect Authentication Plugin 2.4 and earlier does not invalidate the previous session on login.
CVE-2023-24456 1 Jenkins 1 Keycloak Authentication 2023-02-02 N/A 9.8 CRITICAL
Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login.
CVE-2023-22479 1 Fit2cloud 1 Kubepi 2023-01-13 N/A 6.5 MEDIUM
KubePi is a modern Kubernetes panel. A session fixation attack allows an attacker to hijack a legitimate user session, versions 1.6.3 and below are susceptible. A patch will be released in version 1.6.4.
CVE-2014-125048 1 Kluks 1 Xingwall 2023-01-12 N/A 5.4 MEDIUM
A vulnerability, which was classified as critical, has been found in kassi xingwall. This issue affects some unknown processing of the file app/controllers/oauth.js. The manipulation leads to session fixiation. The name of the patch is e9f0d509e1408743048e29d9c099d36e0e1f6ae7. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217559.
CVE-2022-43529 1 Arubanetworks 1 Aruba Edgeconnect Enterprise Orchestrator 2023-01-11 N/A 5.4 MEDIUM
A vulnerability in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an remote attacker to persist a session after a password reset or similar session clearing event. Successful exploitation of this vulnerability could allow an authenticated attacker to remain on the system with the permissions of their current session after the session should be invalidated in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators - Orchestrator and below, - Orchestrator and below, - Orchestrator and below, - Orchestrator and below, - Any older branches of Orchestrator not specifically mentioned.
CVE-2022-36437 1 Hazelcast 2 Hazelcast, Hazelcast-jet 2023-01-09 N/A 9.1 CRITICAL
The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.
CVE-2022-44017 1 Simmeth 1 Lieferantenmanager 2023-01-05 N/A 7.5 HIGH
An issue was discovered in Simmeth Lieferantenmanager before 5.6. Due to errors in session management, an attacker can log back into a victim's account after the victim logged out - /LMS/LM/#main can be used for this. This is due to the credentials not being cleaned from the local storage after logout.
CVE-2020-15679 1 Mozilla 1 Vpn 2022-12-29 N/A 7.6 HIGH
An OAuth session fixation vulnerability existed in the VPN login flow, where an attacker could craft a custom login URL, convince a VPN user to login via that URL, and obtain authenticated access as that user. This issue is limited to cases where attacker and victim are sharing the same source IP and could allow the ability to view session states and disconnect VPN sessions. This vulnerability affects Mozilla VPN iOS 1.0.7 < (929), Mozilla VPN Windows < 1.2.2, and Mozilla VPN Android 1.1.0 < (1360).
CVE-2022-4231 1 Tribalsystems 1 Zenario 2022-12-06 N/A 5.4 MEDIUM
A vulnerability, which was classified as problematic, has been found in Tribal Systems Zenario CMS 9.3.57595. This issue affects some unknown processing of the component Remember Me Handler. The manipulation leads to session fixiation. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-214589 was assigned to this vulnerability.
CVE-2019-4439 1 Ibm 1 Cloud Private 2022-12-03 4.6 MEDIUM 5.3 MEDIUM
IBM Cloud Private 3.1.0, 3.1.1, and 3.1.2 does not invalidate session after logout which could allow a local user to impersonate another user on the system. IBM X-Force ID: 162949.