Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-384
Total 238 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-4291 1 Ibm 1 Security Information Queue 2020-04-08 4.3 MEDIUM 4.3 MEDIUM
IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could disclose sensitive information to an unauthorized user due to insufficient timeout functionality in the Web UI. IBM X-Force ID: 176334.
CVE-2020-5290 1 Ctfd 1 Rctf 2020-04-03 4.3 MEDIUM 6.5 MEDIUM
In RedpwnCTF before version 2.3, there is a session fixation vulnerability in exploitable through the `#token=$ssid` hash when making a request to the `/verify` endpoint. An attacker team could potentially steal flags by, for example, exploiting a stored XSS payload in a CTF challenge so that victim teams who solve the challenge are unknowingly (and against their will) signed into the attacker team's account. Then, the attacker can gain points / value off the backs of the victims. This is patched in version 2.3.
CVE-2019-15612 1 Nextcloud 1 Nextcloud Server 2020-03-24 3.2 LOW 5.9 MEDIUM
A bug in Nextcloud Server 15.0.2 causes pending 2FA logins to not be correctly expired when the password of the user is reset.
CVE-2019-4617 2 Ibm, Linux 2 Cloud Automation Manager, Linux Kernel 2020-03-20 3.6 LOW 4.4 MEDIUM
IBM Cloud Automation Manager 3.2.1.0 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability. This could force a user to utilize a cookie that may be known to an attacker. IBM X-Force ID: 168645.
CVE-2020-5543 1 Mitsubishielectric 2 Iu1-1m20-d, Iu1-1m20-d Firmware 2020-03-18 7.5 HIGH 9.8 CRITICAL
TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier does not properly manage sessions, which allows remote attackers to stop the network functions or execute malware via a specially crafted packet.
CVE-2020-9370 1 Humaxdigital 2 Hga12r-02, Hga12r-02 Firmware 2020-03-06 6.4 MEDIUM 9.1 CRITICAL
HUMAX HGA12R-02 BRGCAA 1.1.53 devices allow Session Hijacking.
CVE-2020-8990 1 Western Digital 2 Ibi, My Cloud Home 2020-02-24 6.4 MEDIUM 9.1 CRITICAL
Western Digital My Cloud Home before 3.6.0 and ibi before 3.6.0 allow Session Fixation.
CVE-2014-10399 1 Keplerproject 1 Cgilua 2020-02-11 4.3 MEDIUM 6.1 MEDIUM
The session.lua library in CGILua 5.1.x uses the same ID for each session, which allows remote attackers to hijack arbitrary sessions. NOTE: this vulnerability was SPLIT from CVE-2014-2875.
CVE-2014-10400 1 Keplerproject 1 Cgilua 2020-02-11 4.3 MEDIUM 6.1 MEDIUM
The session.lua library in CGILua 5.0.x uses sequential session IDs, which makes it easier for remote attackers to predict the session ID and hijack arbitrary sessions. NOTE: this vulnerability was SPLIT from CVE-2014-2875.
CVE-2013-4572 2 Fedoraproject, Mediawiki 2 Fedora, Mediawiki 2020-02-10 5.0 MEDIUM 7.5 HIGH
The CentralNotice extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 sets the Cache-Control header to cache session cookies when a user is autocreated, which allows remote attackers to authenticate as the created user.
CVE-2013-0507 1 Ibm 1 Infosphere Information Server 2020-02-07 5.8 MEDIUM 8.1 HIGH
IBM InfoSphere Information Server 8.1, 8.5, 8.7, 9.1 has a Session Fixation Vulnerability
CVE-2020-5205 1 Powauth 1 Pow 2020-01-17 5.5 MEDIUM 5.4 MEDIUM
In Pow (Hex package) before 1.0.16, the use of Plug.Session in Pow.Plug.Session is susceptible to session fixation attacks if a persistent session store is used for Plug.Session, such as Redis or a database. Cookie store, which is used in most Phoenix apps, doesn't have this vulnerability.
CVE-2019-10158 2 Infinispan, Redhat 2 Infinispan, Jboss Data Grid 2020-01-10 7.5 HIGH 9.8 CRITICAL
A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling.
CVE-2019-17062 1 Oxid-esales 1 Eshop 2019-11-08 6.8 MEDIUM 8.8 HIGH
An issue was discovered in OXID eShop 6.x before 6.0.6 and 6.1.x before 6.1.5, OXID eShop Enterprise Edition Version 5.2.x-5.3.x, OXID eShop Professional Edition Version 4.9.x-4.10.x and OXID eShop Community Edition Version: 4.9.x-4.10.x. By using a specially crafted URL, users with administrative rights could unintentionally grant unauthorized users access to the admin panel via session fixation.
CVE-2010-3671 1 Typo3 1 Typo3 2019-11-08 9.4 HIGH 6.5 MEDIUM
TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 is open to a session fixation attack which allows remote attackers to hijack a victim's session.
CVE-2019-18418 1 Clonos 1 Clonos 2019-10-29 7.5 HIGH 9.8 CRITICAL
clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests because there is no session management.
CVE-2019-15849 1 Eq-3 2 Homematic Ccu3, Homematic Ccu3 Firmware 2019-10-22 4.9 MEDIUM 7.3 HIGH
eQ-3 HomeMatic CCU3 firmware 3.41.11 allows session fixation. An attacker can create session IDs and send them to the victim. After the victim logs in to the session, the attacker can use that session. The attacker could create SSH logins after a valid session and easily compromise the system.
CVE-2019-3784 1 Cloudfoundry 1 Stratos 2019-10-09 4.0 MEDIUM 6.5 MEDIUM
Cloud Foundry Stratos, versions prior to 2.3.0, contains an insecure session that can be spoofed. When deployed on cloud foundry with multiple instances using the default embedded SQLite database, a remote authenticated malicious user can switch sessions to another user with the same session id.
CVE-2019-1807 1 Cisco 1 Umbrella 2019-10-09 6.8 MEDIUM 8.8 HIGH
A vulnerability in the session management functionality of the web UI for the Cisco Umbrella Dashboard could allow an authenticated, remote attacker to access the Dashboard via an active, user session. The vulnerability exists due to the affected application not invalidating an existing session when a user authenticates to the application and changes the users credentials via another authenticated session. An attacker could exploit this vulnerability by using a separate, authenticated, active session to connect to the application through the web UI. A successful exploit could allow the attacker to maintain access to the dashboard via an authenticated user's browser session. Cisco has addressed this vulnerability in the Cisco Umbrella Dashboard. No user action is required.
CVE-2019-13517 1 Bd 2 Pyxis Enterprise Server, Pyxis Es 2019-10-09 6.5 MEDIUM 8.8 HIGH
In Pyxis ES Versions 1.3.4 through to 1.6.1 and Pyxis Enterprise Server, with Windows Server Versions 4.4 through 4.12, a vulnerability has been identified where existing access privileges are not restricted in coordination with the expiration of access based on active directory user account changes when the device is joined to an AD domain.