Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-384
Total 238 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-41268 1 Sensiolabs 1 Symfony 2021-11-30 6.5 MEDIUM 8.8 HIGH
Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version 5.3.0, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Starting with version 5.3.12, Symfony makes the password part of the signature by default. In that way, when the password changes, then the cookie is not valid anymore.
CVE-2021-42073 1 Barrier Project 1 Barrier 2021-11-09 5.8 MEDIUM 8.2 HIGH
An issue was discovered in Barrier before 2.4.0. An attacker can enter an active session state with the barriers component (aka the server-side implementation of Barrier) simply by supplying a client label that identifies a valid client configuration. This label is "Unnamed" by default but could instead be guessed from hostnames or other publicly available information. In the active session state, an attacker can capture input device events from the server, and also modify the clipboard content on the server.
CVE-2021-41553 1 Archibus 1 Web Central 2021-10-08 7.5 HIGH 9.8 CRITICAL
** UNSUPPORTED WHEN ASSIGNED ** In ARCHIBUS Web Central 21.3.3.815 (a version from 2014), the Web Application in /archibus/login.axvw assign a session token that could be already in use by another user. It was therefore possible to access the application through a user whose credentials were not known, without any attempt by the testers to modify the application logic. It is also possible to set the value of the session token, client-side, simply by making an unauthenticated GET Request to the Home Page and adding an arbitrary value to the JSESSIONID field. The application, following the login, does not assign a new token, continuing to keep the inserted one, as the identifier of the entire session. This is fixed in all recent versions, such as version 26. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Version 21.3 was officially de-supported by the end of 2020.
CVE-2007-4188 1 Joomla 1 Joomla\! 2021-10-01 9.3 HIGH N/A
Session fixation vulnerability in Joomla! before 1.0.13 (aka Sunglow) allows remote attackers to hijack administrative web sessions via unspecified vectors.
CVE-2021-35948 1 Owncloud 1 Owncloud 2021-09-15 5.8 MEDIUM 5.4 MEDIUM
Session fixation on password protected public links in the ownCloud Server before 10.8.0 allows an attacker to bypass the password protection when they can force a target client to use a controlled cookie.
CVE-2021-22237 1 Gitlab 1 Gitlab 2021-08-31 4.0 MEDIUM 4.9 MEDIUM
Under specialized conditions, GitLab may allow a user with an impersonation token to perform Git actions even if impersonation is disabled. This vulnerability is present in GitLab CE/EE versions before 13.12.9, 14.0.7, 14.1.2
CVE-2021-39290 1 Netmodule 30 Nb1600, Nb1600 Firmware, Nb1601 and 27 more 2021-08-27 7.5 HIGH 9.8 CRITICAL
Certain NetModule devices allow Limited Session Fixation via PHPSESSID. These models with firmware before 4.3.0.113, 4.4.0.111, and 4.5.0.105 are affected: NB800, NB1600, NB1601, NB1800, NB1810, NB2700, NB2710, NB2800, NB2810, NB3700, NB3701, NB3710, NB3711, NB3720, and NB3800.
CVE-2021-22927 1 Citrix 16 Application Delivery Controller, Application Delivery Controller Firmware, Gateway and 13 more 2021-08-16 5.8 MEDIUM 8.1 HIGH
A session fixation vulnerability exists in Citrix ADC and Citrix Gateway 13.0-82.45 when configured SAML service provider that could allow an attacker to hijack a session.
CVE-2001-1534 1 Apache 1 Http Server 2021-07-15 2.1 LOW N/A
mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication.
CVE-2021-21671 1 Jenkins 1 Jenkins 2021-07-06 5.1 MEDIUM 7.5 HIGH
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login.
CVE-2021-32710 1 Shopware 1 Shopware 2021-07-01 5.0 MEDIUM 7.5 HIGH
Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below 6.3.5.2. We recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
CVE-2021-35046 1 Icehrm 1 Icehrm 2021-06-25 5.8 MEDIUM 6.1 MEDIUM
A session fixation vulnerability was discovered in Ice Hrm 29.0.0 OS which allows an attacker to hijack a valid user session via a crafted session cookie.
CVE-2010-1434 1 Joomla 1 Joomla\! 2021-06-25 5.0 MEDIUM 7.5 HIGH
Joomla! Core is prone to a session fixation vulnerability. An attacker may leverage this issue to hijack an arbitrary session and gain access to sensitive information, which may help in launching further attacks. Joomla! Core versions 1.5.x ranging from 1.5.0 and up to and including 1.5.15 are vulnerable.
CVE-2021-32676 1 Nextcloud 1 Talk 2021-06-23 4.0 MEDIUM 6.5 MEDIUM
Nextcloud Talk is a fully on-premises audio/video and chat communication service. Password protected shared chats in Talk before version 9.0.10, 10.0.8 and 11.2.2 did not rotate the session cookie after a successful authentication event. It is recommended that the Nextcloud Talk App is upgraded to 9.0.10, 10.0.8 or 11.2.2. No workarounds for this vulnerability are known to exist.
CVE-2018-6434 1 Broadcom 1 Fabric Operating System 2021-06-22 5.0 MEDIUM 7.5 HIGH
A vulnerability in the web management interface of Brocade Fabric OS versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow attackers to intercept or manipulate a user's session ID.
CVE-2017-5656 1 Apache 1 Cxf 2021-06-16 5.0 MEDIUM 7.5 HIGH
Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user.
CVE-2018-17199 5 Apache, Canonical, Debian and 2 more 6 Http Server, Ubuntu Linux, Debian Linux and 3 more 2021-06-06 5.0 MEDIUM 7.5 HIGH
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
CVE-2018-16495 1 Versa-networks 1 Versa Operating System 2021-06-04 6.5 MEDIUM 8.8 HIGH
In VOS user session identifier (authentication token) is issued to the browser prior to authentication but is not changed after the user successfully logs into the application. Failing to issue a new session ID following a successful login introduces the possibility for an attacker to set up a trap session on the device the victim is likely to login with.
CVE-2021-33394 1 Cubecart 1 Cubecart 2021-06-02 5.5 MEDIUM 5.4 MEDIUM
Cubecart 6.4.2 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in, the injected cookie becomes valid, giving the attacker access to the user's account through the active session.
CVE-2008-3222 2 Drupal, Fedoraproject 2 Drupal, Fedora 2021-04-15 5.8 MEDIUM N/A
Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessions via unknown vectors.