Total
238 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-4304 | 1 Ibm | 1 Websphere Application Server | 2022-12-02 | 6.5 MEDIUM | 6.3 MEDIUM |
| IBM WebSphere Application Server - Liberty could allow a remote attacker to bypass security restrictions caused by improper session validation. IBM X-Force ID: 160950. | |||||
| CVE-2019-4227 | 1 Ibm | 1 Mq | 2022-12-02 | 7.5 HIGH | 7.3 HIGH |
| IBM MQ 8.0.0.4 - 8.0.0.12, 9.0.0.0 - 9.0.0.6, 9.1.0.0 - 9.1.0.2, and 9.1.0 - 9.1.2 AMQP Listeners could allow an unauthorized user to conduct a session fixation attack due to clients not being disconnected as they should. IBM X-Force ID: 159352. | |||||
| CVE-2022-44788 | 1 Maggioli | 1 Appalti \& Contratti | 2022-11-23 | N/A | 6.5 MEDIUM |
| An issue was discovered in Appalti & Contratti 9.12.2. It allows Session Fixation. When a user logs in providing a JSESSIONID cookie that is issued by the server at the first visit, the cookie value is not updated after a successful login. | |||||
| CVE-2022-44007 | 1 Backclick | 1 Backclick | 2022-11-21 | N/A | 8.8 HIGH |
| An issue was discovered in BACKCLICK Professional 5.9.63. Due to an unsafe implementation of session tracking, it is possible for an attacker to trick users into opening an authenticated user session for a session identifier known to the attacker, aka Session Fixation. | |||||
| CVE-2022-43687 | 1 Concretecms | 1 Concrete Cms | 2022-11-17 | N/A | 5.4 MEDIUM |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | |||||
| CVE-2022-30769 | 1 Zoneminder | 1 Zoneminder | 2022-11-16 | N/A | 4.6 MEDIUM |
| Session fixation exists in ZoneMinder through 1.36.12 as an attacker can poison a session cookie to the next logged-in user. | |||||
| CVE-2022-31689 | 1 Vmware | 1 Workspace One Assist | 2022-11-10 | N/A | 9.8 CRITICAL |
| VMware Workspace ONE Assist prior to 22.10 contains a Session fixation vulnerability. A malicious actor who obtains a valid session token may be able to authenticate to the application using that token. | |||||
| CVE-2022-43398 | 1 Siemens | 4 7kg9501-0aa01-2aa1, 7kg9501-0aa01-2aa1 Firmware, 7kg9501-0aa31-2aa1 and 1 more | 2022-11-09 | N/A | 8.8 HIGH |
| A vulnerability has been identified in POWER METER SICAM Q100 (All versions < V2.50), POWER METER SICAM Q100 (All versions < V2.50). Affected devices do not renew the session cookie after login/logout and also accept user defined session cookies. An attacker could overwrite the stored session cookie of a user. After the victim logged in, the attacker is given access to the user's account through the activated session. | |||||
| CVE-2020-10714 | 2 Netapp, Redhat | 6 Oncommand Insight, Codeready Studio, Descision Manager and 3 more | 2022-11-08 | 5.1 MEDIUM | 7.5 HIGH |
| A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | |||||
| CVE-2022-40293 | 1 Phppointofsale | 1 Php Point Of Sale | 2022-11-03 | N/A | 9.8 CRITICAL |
| The application was vulnerable to a session fixation that could be used hijack accounts. | |||||
| CVE-2022-34334 | 1 Ibm | 1 Sterling Partner Engagement Manager | 2022-10-12 | N/A | 6.5 MEDIUM |
| IBM Sterling Partner Engagement Manager 2.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 229704. | |||||
| CVE-2022-40226 | 1 Siemens | 72 7kg8500-0aa00-0aa0, 7kg8500-0aa00-0aa0 Firmware, 7kg8500-0aa00-2aa0 and 69 more | 2022-10-12 | N/A | 8.1 HIGH |
| A vulnerability has been identified in SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10). Affected devices accept user defined session cookies and do not renew the session cookie after login/logout. This could allow an attacker to take over another user's session after login. | |||||
| CVE-2019-17563 | 5 Apache, Canonical, Debian and 2 more | 11 Tomcat, Ubuntu Linux, Debian Linux and 8 more | 2022-10-07 | 5.1 MEDIUM | 7.5 HIGH |
| When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability. | |||||
| CVE-2022-40630 | 1 Tacitine | 4 En6200-prime Quad-100, En6200-prime Quad-100 Firmware, En6200-prime Quad-35 and 1 more | 2022-09-28 | N/A | 9.8 CRITICAL |
| This vulnerability exists in Tacitine Firewall, all versions of EN6200-PRIME QUAD-35 and EN6200-PRIME QUAD-100 between 19.1.1 to 22.20.1 (inclusive), due to improper session management in the Tacitine Firewall web-based management interface. An unauthenticated remote attacker could exploit this vulnerability by sending a specially crafted http request on the targeted device. Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to perform session fixation on the targeted device. | |||||
| CVE-2017-0892 | 1 Nextcloud | 1 Nextcloud Server | 2022-09-27 | 4.3 MEDIUM | 3.5 LOW |
| Nextcloud Server before 11.0.3 is vulnerable to an improper session handling allowed an application specific password without permission to the files access to the users file. | |||||
| CVE-2022-3269 | 1 Ikus-soft | 1 Rdiffweb | 2022-09-26 | N/A | 9.8 CRITICAL |
| Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7. | |||||
| CVE-2022-38054 | 1 Apache | 1 Airflow | 2022-09-09 | N/A | 9.8 CRITICAL |
| In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation. | |||||
| CVE-2022-38369 | 1 Apache | 1 Iotdb | 2022-09-09 | N/A | 8.8 HIGH |
| Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should upgrade to version 0.13.1 which addresses this issue. | |||||
| CVE-2022-2997 | 1 Snipeitapp | 1 Snipe-it | 2022-09-01 | N/A | 8.0 HIGH |
| Session Fixation in GitHub repository snipe/snipe-it prior to 6.0.10. | |||||
| CVE-2022-30605 | 1 Wwbn | 1 Avideo | 2022-08-26 | N/A | 8.8 HIGH |
| A privilege escalation vulnerability exists in the session id functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to increased privileges. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability. | |||||