Total
260 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-2049 | 1 Redhat | 1 Cloudforms Management Engine | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| Red Hat CloudForms 2 Management Engine (CFME) allows remote attackers to conduct session tampering attacks by leveraging use of a static secret_token.rb secret. | |||||
| CVE-2017-14163 | 1 Mahara | 1 Mahara | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Mahara before 15.04.14, 16.x before 16.04.8, 16.10.x before 16.10.5, and 17.x before 17.04.3. When one closes the browser without logging out of Mahara, the value in the usr_session table is not removed. If someone were to open a browser, visit the Mahara site, and adjust the 'mahara' cookie to the old value, they can get access to the user's account. | |||||
| CVE-2017-1270 | 1 Ibm | 1 Security Guardium | 2024-02-04 | 2.1 LOW | 3.3 LOW |
| IBM Security Guardium 10.0 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability. This could force a user to utilize a cookie that may be known to an attacker. IBM X-Force ID: 124745. | |||||
| CVE-2016-9981 | 1 Ibm | 1 Security Appscan | 2024-02-04 | 6.8 MEDIUM | 8.1 HIGH |
| IBM AppScan Enterprise Edition 9.0 contains an unspecified vulnerability that could allow an attacker to hijack a valid user's session. IBM X-Force ID: 120257 | |||||
| CVE-2017-12868 | 2 Php, Simplesamlphp | 2 Php, Simplesamlphp | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation. | |||||
| CVE-2017-4963 | 1 Pivotal Software | 3 Cloud Foundry Cf-release, Cloud Foundry Uaa, Cloud Foundry Uaa-release | 2024-02-04 | 6.8 MEDIUM | 8.1 HIGH |
| An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 & v3.0.0 - v3.11.0, and UAA bosh release v26 & earlier versions. UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers. | |||||
| CVE-2015-1174 | 1 Unit4 | 1 Teta Web | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| Session fixation vulnerability in Unit4 Polska TETA Web (formerly TETA Galactica) 22.62.3.4 and earlier allows remote attackers to hijack web sessions via a session id. | |||||
| CVE-2016-8638 | 1 Ipsilon Project | 1 Ipsilon | 2024-02-04 | 6.4 MEDIUM | 9.1 CRITICAL |
| A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users. This issue is related to how it tracks sessions, and allows an unauthenticated attacker to view and terminate active sessions from other users. It is also called a "SAML2 multi-session vulnerability." | |||||
| CVE-2015-1820 | 1 Rest-client Project | 1 Rest-client | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| REST client for Ruby (aka rest-client) before 1.8.0 allows remote attackers to conduct session fixation attacks or obtain sensitive cookie information by leveraging passage of cookies set in a response to a redirect. | |||||
| CVE-2017-12225 | 1 Cisco | 1 Prime Lan Management Solution | 2024-02-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the web functionality of the Cisco Prime LAN Management Solution could allow an authenticated, remote attacker to hijack another user's administrative session, aka a Session Fixation Vulnerability. The vulnerability is due to the reuse of a preauthentication session token as part of the postauthentication session. An attacker could exploit this vulnerability by obtaining the presession token ID. An exploit could allow an attacker to hijack an existing user's session. Known Affected Releases 4.2(5). Cisco Bug IDs: CSCvf58392. | |||||
| CVE-2017-1000150 | 1 Mahara | 1 Mahara | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| Mahara 15.04 before 15.04.7 and 15.10 before 15.10.3 are vulnerable to prevent session IDs from being regenerated on login or logout. This makes users of the site more vulnerable to session fixation attacks. | |||||
| CVE-2016-10405 | 2 D-link, Dlink | 2 Dir-600l Firmware, Dir-600l | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| Session fixation vulnerability in D-Link DIR-600L routers (rev. Ax) with firmware before FW1.17.B01 allows remote attackers to hijack web sessions via unspecified vectors. | |||||
| CVE-2017-2145 | 1 Cybozu | 1 Garoon | 2024-02-04 | 5.8 MEDIUM | 5.4 MEDIUM |
| Session fixation vulnerability in Cybozu Garoon 4.0.0 to 4.2.4 allows remote attackers to perform arbitrary operations via unspecified vectors. | |||||
| CVE-2017-14263 | 1 Honeywell | 14 Enterprise Dvr, Enterprise Dvr Firmware, Fusion Iv Rev C and 11 more | 2024-02-04 | 9.3 HIGH | 8.1 HIGH |
| Honeywell NVR devices allow remote attackers to create a user account in the admin group by leveraging access to a guest account to obtain a session ID, and then sending that session ID in a userManager.addUser request to the /RPC2 URI. The attacker can login to the device with that new user account to fully control the device. | |||||
| CVE-2017-10890 | 1 Sharp | 10 Rx-clv1-p, Rx-clv1-p Firmware, Rx-clv2-b and 7 more | 2024-02-04 | 4.3 MEDIUM | 4.6 MEDIUM |
| Session management issue in RX-V200 firmware versions prior to 09.87.17.09, RX-V100 firmware versions prior to 03.29.17.09, RX-CLV1-P firmware versions prior to 79.17.17.09, RX-CLV2-B firmware versions prior to 89.07.17.09, RX-CLV3-N firmware versions prior to 91.09.17.10 allows an attacker on the same LAN to perform arbitrary operations or access information via unspecified vectors. | |||||
| CVE-2017-11562 | 1 Mt4 | 1 Senhasegura | 2024-02-04 | 6.8 MEDIUM | 8.8 HIGH |
| A Session Fixation Vulnerability exists in the MT4 Networks SenhaSegura Web Application 2.2.23.8 via login_if.php. | |||||
| CVE-2017-15304 | 1 Airtame | 2 Hdmi Dongle, Hdmi Dongle Firmware | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| /bin/login.php in the Web Panel on the Airtame HDMI dongle with firmware before 3.0 allows an attacker to set his own session id via a "Cookie: PHPSESSID=" header. This can be used to achieve persistent access to the admin panel even after an admin password change. | |||||
| CVE-2017-12965 | 1 Apache2triad | 1 Apache2triad | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| Session fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID parameter. | |||||
| CVE-2017-12873 | 2 Debian, Simplesamlphp | 2 Debian Linux, Simplesamlphp | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured. | |||||
| CVE-2017-10600 | 1 Canonical | 1 Ubuntu-image | 2024-02-04 | 4.6 MEDIUM | 5.9 MEDIUM |
| ubuntu-image 1.0 before 2017-07-07, when invoked as non-root, creates files in the resulting image with the uid of the invoking user. When the resulting image is booted, a local attacker with the same uid as the image creator has unintended access to cloud-init and snapd directories. | |||||