Total
283 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2008-3222 | 2 Drupal, Fedoraproject | 2 Drupal, Fedora | 2024-11-21 | 5.8 MEDIUM | N/A |
Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessions via unknown vectors. | |||||
CVE-2007-4188 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 9.3 HIGH | N/A |
Session fixation vulnerability in Joomla! before 1.0.13 (aka Sunglow) allows remote attackers to hijack administrative web sessions via unspecified vectors. | |||||
CVE-2001-1534 | 1 Apache | 1 Http Server | 2024-11-20 | 2.1 LOW | N/A |
mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication. | |||||
CVE-1999-0428 | 1 Openssl | 1 Openssl | 2024-11-20 | 7.5 HIGH | N/A |
OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls. | |||||
CVE-2023-52268 | 2024-11-19 | N/A | 9.1 CRITICAL | ||
The End-User Portal module before 1.0.65 for FreeScout sometimes allows an attacker to authenticate as an arbitrary user because a session token can be sent to the /auth endpoint. NOTE: this module is not part of freescout-helpdesk/freescout on GitHub. | |||||
CVE-2021-3740 | 2024-11-15 | N/A | 6.8 MEDIUM | ||
A Session Fixation vulnerability exists in chatwoot/chatwoot versions prior to 2.4.0. The application does not invalidate existing sessions on other devices when a user changes their password, allowing old sessions to persist. This can lead to unauthorized access if an attacker has obtained a session token. | |||||
CVE-2023-50176 | 2024-11-13 | N/A | 7.5 HIGH | ||
A session fixation in Fortinet FortiOS version 7.4.0 through 7.4.3 and 7.2.0 through 7.2.7 and 7.0.0 through 7.0.13 allows attacker to execute unauthorized code or commands via phishing SAML authentication link. | |||||
CVE-2024-10318 | 1 F5 | 4 Nginx Api Connectivity Manager, Nginx Ingress Controller, Nginx Instance Manager and 1 more | 2024-11-08 | N/A | 5.4 MEDIUM |
A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim's session to an attacker-controlled account. As a result, although the attacker cannot log in as the victim, they can force the session to associate it with the attacker-controlled account, leading to potential misuse of the victim's session. | |||||
CVE-2023-21239 | 1 Google | 1 Android | 2024-11-06 | N/A | 5.5 MEDIUM |
In visitUris of Notification.java, there is a possible way to leak image data across user boundaries due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
CVE-2023-21238 | 1 Google | 1 Android | 2024-11-06 | N/A | 5.5 MEDIUM |
In visitUris of RemoteViews.java, there is a possible leak of images between users due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
CVE-2024-23590 | 2024-11-05 | N/A | 9.1 CRITICAL | ||
Session Fixation vulnerability in Apache Kylin. This issue affects Apache Kylin: from 2.0.0 through 4.x. Users are recommended to upgrade to version 5.0.0 or above, which fixes the issue. | |||||
CVE-2024-48955 | 2024-11-01 | N/A | 8.1 HIGH | ||
Broken access control in NetAdmin 4.030319 returns data with functionalities on the endpoint that "assembles" the functionalities menus, the return of this call is not encrypted and as the system does not validate the session authorization, an attacker can copy the content of the browser of a user with greater privileges having access to the functionalities of the user that the code was copied. | |||||
CVE-2024-48929 | 1 Umbraco | 1 Umbraco Cms | 2024-10-25 | N/A | 4.2 MEDIUM |
Umbraco is a free and open source .NET content management system. In versions on the 13.x branch prior to 13.5.2 and versions on the 10.x branch prior to 10.8.7, during an explicit sign-out, the server session is not fully terminated. Versions 13.5.2 and 10.8.7 contain a patch for the issue. | |||||
CVE-2024-10158 | 1 Phpgurukul | 1 Boat Booking System | 2024-10-22 | 5.0 MEDIUM | 8.8 HIGH |
A vulnerability classified as problematic has been found in PHPGurukul Boat Booking System 1.0. Affected is the function session_start. The manipulation leads to session fixiation. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
CVE-2024-8643 | 1 Oceanicsoft | 1 Valeapp | 2024-10-04 | N/A | 9.8 CRITICAL |
Session Fixation vulnerability in Oceanic Software ValeApp allows Brute Force, Session Hijacking.This issue affects ValeApp: before v2.0.0. | |||||
CVE-2024-7341 | 1 Redhat | 4 Build Of Keycloak, Enterprise Linux, Keycloak and 1 more | 2024-10-04 | N/A | 7.1 HIGH |
A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation. | |||||
CVE-2023-47798 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2024-10-03 | N/A | 4.6 MEDIUM |
Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked. | |||||
CVE-2023-40273 | 1 Apache | 1 Airflow | 2024-09-27 | N/A | 8.0 HIGH |
The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually cleaning the session database (for database session backend), or changing the secure_key and restarting the webserver, there were no mechanisms to force-logout the user (and all other users with that). With this fix implemented, when using the database session backend, the existing sessions of the user are invalidated when the password of the user is reset. When using the securecookie session backend, the sessions are NOT invalidated and still require changing the secure key and restarting the webserver (and logging out all other users), but the user resetting the password is informed about it with a flash message warning displayed in the UI. Documentation is also updated explaining this behaviour. Users of Apache Airflow are advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. | |||||
CVE-2023-42322 | 1 Icmsdev | 1 Icms | 2024-09-25 | N/A | 9.8 CRITICAL |
Insecure Permissions vulnerability in icmsdev iCMS v.7.0.16 allows a remote attacker to obtain sensitive information. | |||||
CVE-2024-22318 | 1 Ibm | 1 I Access Client Solutions | 2024-09-20 | N/A | 5.5 MEDIUM |
IBM i Access Client Solutions (ACS) 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.4 is vulnerable to NT LAN Manager (NTLM) hash disclosure by an attacker modifying UNC capable paths within ACS configuration files to point to a hostile server. If NTLM is enabled, the Windows operating system will try to authenticate using the current user's session. The hostile server could capture the NTLM hash information to obtain the user's credentials. IBM X-Force ID: 279091. |