Total
238 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-33927 | 1 Dell | 1 Wyse Management Suite | 2022-08-12 | N/A | 6.5 MEDIUM |
| Dell Wyse Management Suite 3.6.1 and below contains a Session Fixation vulnerability. A unauthenticated attacker could exploit this by taking advantage of a user with multiple active sessions in order to hijack a user's session. | |||||
| CVE-2019-12258 | 5 Belden, Netapp, Siemens and 2 more | 50 Garrettcom Magnum Dx940e, Garrettcom Magnum Dx940e Firmware, Hirschmann Dragon Mach4000 and 47 more | 2022-08-12 | 5.0 MEDIUM | 7.5 HIGH |
| Wind River VxWorks 6.6 through vx7 has Session Fixation in the TCP component. This is a IPNET security vulnerability: DoS of TCP connection via malformed TCP options. | |||||
| CVE-2022-34536 | 1 Dw | 2 Megapix, Megapix Firmware | 2022-07-26 | N/A | 7.5 HIGH |
| Digital Watchdog DW MEGApix IP cameras A7.2.2_20211029 allows attackers to access the core log file and perform session hijacking via a crafted session token. | |||||
| CVE-2022-22681 | 1 Synology | 1 Photo Station | 2022-07-14 | 5.0 MEDIUM | 7.5 HIGH |
| Session fixation vulnerability in access control management in Synology Photo Station before 6.8.16-3506 allows remote attackers to bypass security constraint via unspecified vectors. | |||||
| CVE-2022-25896 | 1 Passport Project | 1 Passport | 2022-07-13 | 5.8 MEDIUM | 4.8 MEDIUM |
| This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed. | |||||
| CVE-2022-24444 | 1 Silverstripe | 1 Silverstripe | 2022-07-13 | 6.4 MEDIUM | 6.5 MEDIUM |
| Silverstripe silverstripe/framework through 4.10 allows Session Fixation. | |||||
| CVE-2022-27305 | 1 Gibbonedu | 1 Gibbon | 2022-06-08 | 6.8 MEDIUM | 8.8 HIGH |
| Gibbon v23 does not generate a new session ID cookie after a user authenticates, making the application vulnerable to session fixation. | |||||
| CVE-2022-1849 | 1 Filegator | 1 Filegator | 2022-06-03 | 5.5 MEDIUM | 5.4 MEDIUM |
| Session Fixation in GitHub repository filegator/filegator prior to 7.8.0. | |||||
| CVE-2021-38869 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2022-05-04 | 7.5 HIGH | 9.8 CRITICAL |
| IBM QRadar SIEM 7.3, 7.4, and 7.5 in some situations may not automatically log users out after they exceede their idle timeout. IBM X-Force ID: 208341. | |||||
| CVE-2021-20324 | 1 Redhat | 6 Codeready Studio, Descision Manager, Jboss Enterprise Application Platform and 3 more | 2022-04-26 | 5.8 MEDIUM | 5.4 MEDIUM |
| A flaw was found in WildFly Elytron. A variation to the use of a session fixation exploit when using Undertow was found despite Undertow switching the session ID after authentication. | |||||
| CVE-2020-25152 | 1 Bbraun | 2 Datamodule Compactplus, Spacecom | 2022-04-21 | 5.8 MEDIUM | 8.1 HIGH |
| A session fixation vulnerability in the B. Braun Melsungen AG SpaceCom administrative interface Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to hijack web sessions and escalate privileges. | |||||
| CVE-2022-24781 | 1 Geon Project | 1 Geon | 2022-03-31 | 5.5 MEDIUM | 7.1 HIGH |
| Geon is a board game based on solving questions about the Pythagorean Theorem. Malicious users can obtain the uuid from other users, spoof that uuid through the browser console and become co-owners of the target session. This issue is patched in version 1.1.0. No known workaround exists. | |||||
| CVE-2022-24745 | 1 Shopware | 1 Shopware | 2022-03-18 | 5.8 MEDIUM | 6.5 MEDIUM |
| Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions guest sessions are shared between customers when HTTP cache is enabled. This can lead to inconsistent experiences for guest users. Setups with Varnish are not affected by this issue. This issue has been resolved in version 6.4.8.2. Users unable to upgrade should disable the HTTP Cache. | |||||
| CVE-2022-22922 | 1 Tp-link | 2 Tl-wa850re, Tl-wa850re Firmware | 2022-02-25 | 7.5 HIGH | 9.8 CRITICAL |
| TP-Link TL-WA850RE Wi-Fi Range Extender before v6_200923 was discovered to use highly predictable and easily detectable session keys, allowing attackers to gain administrative privileges. | |||||
| CVE-2021-39066 | 1 Ibm | 1 Financial Transaction Manager | 2022-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Financial Transaction Manager 3.2.4 does not invalidate session any existing session identifier gives an attacker the opportunity to steal authenticated sessions. IBM X-Force ID: 215040. | |||||
| CVE-2022-22551 | 1 Dell | 1 Emc Appsync | 2022-01-27 | 5.8 MEDIUM | 8.8 HIGH |
| DELL EMC AppSync versions 3.9 to 4.3 use GET request method with sensitive query strings. An Adjacent, unauthenticated attacker could potentially exploit this vulnerability, and hijack the victim session. | |||||
| CVE-2021-20151 | 1 Trendnet | 2 Tew-827dru, Tew-827dru Firmware | 2022-01-07 | 7.5 HIGH | 10.0 CRITICAL |
| Trendnet AC2600 TEW-827DRU version 2.08B01 contains a flaw in the session management for the device. The router's management software manages web sessions based on IP address rather than verifying client cookies/session tokens/etc. This allows an attacker (whether from a different computer, different web browser on the same machine, etc.) to take over an existing session. This does require the attacker to be able to spoof or take over original IP address of the original user's session. | |||||
| CVE-2021-44151 | 1 Reprisesoftware | 1 Reprise License Manager | 2021-12-15 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Reprise RLM 14.2. As the session cookies are small, an attacker can hijack any existing sessions by bruteforcing the 4 hex-character session cookie on the Windows version (the Linux version appears to have 8 characters). An attacker can obtain the static part of the cookie (cookie name) by first making a request to any page on the application (e.g., /goforms/menu) and saving the name of the cookie sent with the response. The attacker can then use the name of the cookie and try to request that same page, setting a random value for the cookie. If any user has an active session, the page should return with the authorized content, when a valid cookie value is hit. | |||||
| CVE-2021-31745 | 1 Pluck-cms | 1 Pluck | 2021-12-14 | 5.0 MEDIUM | 7.5 HIGH |
| Session Fixation vulnerability in login.php in Pluck-CMS Pluck 4.7.15 allows an attacker to sustain unauthorized access to the platform. Because Pluck does not invalidate prior sessions after a password change, access can be sustained even after an administrator performs regular remediation attempts such as resetting their password. | |||||
| CVE-2021-41246 | 1 Auth0 | 1 Express Openid Connect | 2021-12-13 | 6.8 MEDIUM | 8.8 HIGH |
| Express OpenID Connect is express JS middleware implementing sign on for Express web apps using OpenID Connect. Versions before and including `2.5.1` do not regenerate the session id and session cookie when user logs in. This behavior opens up the application to various session fixation vulnerabilities. Versions `2.5.2` contains a patch for this issue. | |||||