Total
260 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-44788 | 1 Maggioli | 1 Appalti \& Contratti | 2024-02-04 | N/A | 6.5 MEDIUM |
An issue was discovered in Appalti & Contratti 9.12.2. It allows Session Fixation. When a user logs in providing a JSESSIONID cookie that is issued by the server at the first visit, the cookie value is not updated after a successful login. | |||||
CVE-2022-38628 | 1 Niceforyou | 2 Linear Emerge E3 Access Control, Linear Emerge E3 Access Control Firmware | 2024-02-04 | N/A | 6.1 MEDIUM |
Nortek Linear eMerge E3-Series 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e were discovered to contain a cross-site scripting (XSS) vulnerability which is chained with a local session fixation. This vulnerability allows attackers to escalate privileges via unspecified vectors. | |||||
CVE-2022-24895 | 1 Sensiolabs | 1 Symfony | 2024-02-04 | N/A | 8.8 HIGH |
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. This issue has been fixed in the 4.4 branch. | |||||
CVE-2021-42761 | 1 Fortinet | 1 Fortiweb | 2024-02-04 | N/A | 9.8 CRITICAL |
A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6.4 all versions, 6.3.0 through 6.3.16, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 through 6.0.7, 5.9.0 through 5.9.1 may allow a remote, unauthenticated attacker to infer the session identifier of other users and possibly usurp their session. | |||||
CVE-2022-30605 | 1 Wwbn | 1 Avideo | 2024-02-04 | N/A | 8.8 HIGH |
A privilege escalation vulnerability exists in the session id functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to increased privileges. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability. | |||||
CVE-2022-2997 | 1 Snipeitapp | 1 Snipe-it | 2024-02-04 | N/A | 8.0 HIGH |
Session Fixation in GitHub repository snipe/snipe-it prior to 6.0.10. | |||||
CVE-2021-46279 | 1 Lannerinc | 2 Iac-ast2500a, Iac-ast2500a Firmware | 2024-02-04 | N/A | 8.8 HIGH |
Session fixation and insufficient session expiration vulnerabilities allow an attacker to perfom session hijacking attacks against users. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0. | |||||
CVE-2022-33927 | 1 Dell | 1 Wyse Management Suite | 2024-02-04 | N/A | 6.5 MEDIUM |
Dell Wyse Management Suite 3.6.1 and below contains a Session Fixation vulnerability. A unauthenticated attacker could exploit this by taking advantage of a user with multiple active sessions in order to hijack a user's session. | |||||
CVE-2022-40226 | 1 Siemens | 72 7kg8500-0aa00-0aa0, 7kg8500-0aa00-0aa0 Firmware, 7kg8500-0aa00-2aa0 and 69 more | 2024-02-04 | N/A | 8.1 HIGH |
A vulnerability has been identified in SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10). Affected devices accept user defined session cookies and do not renew the session cookie after login/logout. This could allow an attacker to take over another user's session after login. | |||||
CVE-2022-34334 | 1 Ibm | 1 Sterling Partner Engagement Manager | 2024-02-04 | N/A | 6.5 MEDIUM |
IBM Sterling Partner Engagement Manager 2.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 229704. | |||||
CVE-2022-34536 | 1 Dw | 2 Megapix, Megapix Firmware | 2024-02-04 | N/A | 7.5 HIGH |
Digital Watchdog DW MEGApix IP cameras A7.2.2_20211029 allows attackers to access the core log file and perform session hijacking via a crafted session token. | |||||
CVE-2022-31798 | 1 Nortekcontrol | 2 Emerge E3, Emerge E3 Firmware | 2024-02-04 | N/A | 6.1 MEDIUM |
Nortek Linear eMerge E3-Series 0.32-07p devices are vulnerable to /card_scan.php?CardFormatNo= XSS with session fixation (via PHPSESSID) when they are chained together. This would allow an attacker to take over an admin account or a user account. | |||||
CVE-2022-25896 | 1 Passport Project | 1 Passport | 2024-02-04 | 5.8 MEDIUM | 4.8 MEDIUM |
This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed. | |||||
CVE-2022-43398 | 1 Siemens | 4 7kg9501-0aa01-2aa1, 7kg9501-0aa01-2aa1 Firmware, 7kg9501-0aa31-2aa1 and 1 more | 2024-02-04 | N/A | 8.8 HIGH |
A vulnerability has been identified in POWER METER SICAM Q200 family (All versions < V2.70). Affected devices do not renew the session cookie after login/logout and also accept user defined session cookies. An attacker could overwrite the stored session cookie of a user. After the victim logged in, the attacker is given access to the user's account through the activated session. | |||||
CVE-2022-38369 | 1 Apache | 1 Iotdb | 2024-02-04 | N/A | 8.8 HIGH |
Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should upgrade to version 0.13.1 which addresses this issue. | |||||
CVE-2022-40293 | 1 Phppointofsale | 1 Php Point Of Sale | 2024-02-04 | N/A | 9.8 CRITICAL |
The application was vulnerable to a session fixation that could be used hijack accounts. | |||||
CVE-2022-44007 | 1 Backclick | 1 Backclick | 2024-02-04 | N/A | 8.8 HIGH |
An issue was discovered in BACKCLICK Professional 5.9.63. Due to an unsafe implementation of session tracking, it is possible for an attacker to trick users into opening an authenticated user session for a session identifier known to the attacker, aka Session Fixation. | |||||
CVE-2022-22681 | 1 Synology | 1 Photo Station | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
Session fixation vulnerability in access control management in Synology Photo Station before 6.8.16-3506 allows remote attackers to bypass security constraint via unspecified vectors. | |||||
CVE-2022-38054 | 1 Apache | 1 Airflow | 2024-02-04 | N/A | 9.8 CRITICAL |
In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation. | |||||
CVE-2022-31689 | 1 Vmware | 1 Workspace One Assist | 2024-02-04 | N/A | 9.8 CRITICAL |
VMware Workspace ONE Assist prior to 22.10 contains a Session fixation vulnerability. A malicious actor who obtains a valid session token may be able to authenticate to the application using that token. |