Total
260 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-35046 | 1 Icehrm | 1 Icehrm | 2024-02-04 | 5.8 MEDIUM | 6.1 MEDIUM |
| A session fixation vulnerability was discovered in Ice Hrm 29.0.0 OS which allows an attacker to hijack a valid user session via a crafted session cookie. | |||||
| CVE-2010-1434 | 1 Joomla | 1 Joomla\! | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| Joomla! Core is prone to a session fixation vulnerability. An attacker may leverage this issue to hijack an arbitrary session and gain access to sensitive information, which may help in launching further attacks. Joomla! Core versions 1.5.x ranging from 1.5.0 and up to and including 1.5.15 are vulnerable. | |||||
| CVE-2021-32676 | 1 Nextcloud | 1 Talk | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| Nextcloud Talk is a fully on-premises audio/video and chat communication service. Password protected shared chats in Talk before version 9.0.10, 10.0.8 and 11.2.2 did not rotate the session cookie after a successful authentication event. It is recommended that the Nextcloud Talk App is upgraded to 9.0.10, 10.0.8 or 11.2.2. No workarounds for this vulnerability are known to exist. | |||||
| CVE-2021-21671 | 1 Jenkins | 1 Jenkins | 2024-02-04 | 5.1 MEDIUM | 7.5 HIGH |
| Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login. | |||||
| CVE-2021-35948 | 1 Owncloud | 1 Owncloud | 2024-02-04 | 5.8 MEDIUM | 5.4 MEDIUM |
| Session fixation on password protected public links in the ownCloud Server before 10.8.0 allows an attacker to bypass the password protection when they can force a target client to use a controlled cookie. | |||||
| CVE-2021-22927 | 1 Citrix | 16 Application Delivery Controller, Application Delivery Controller Firmware, Gateway and 13 more | 2024-02-04 | 5.8 MEDIUM | 8.1 HIGH |
| A session fixation vulnerability exists in Citrix ADC and Citrix Gateway 13.0-82.45 when configured SAML service provider that could allow an attacker to hijack a session. | |||||
| CVE-2020-5021 | 2 Ibm, Linux | 2 Spectrum Protect Plus, Linux Kernel | 2024-02-04 | 3.6 LOW | 4.4 MEDIUM |
| IBM Spectrum Protect Plus 10.1.0 through 10.1.6 does not invalidate session after a password reset which could allow a local user to impersonate another user on the system. IBM X-Force ID: 193657. | |||||
| CVE-2019-4563 | 1 Ibm | 1 Security Directory Server | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM Security Directory Server 6.4.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 166624. | |||||
| CVE-2020-35591 | 1 Pi-hole | 1 Pi-hole | 2024-02-04 | 5.8 MEDIUM | 5.4 MEDIUM |
| Pi-hole 5.0, 5.1, and 5.1.1 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in, the injected cookie becomes valid, giving the attacker access to the user's account through the active session. | |||||
| CVE-2019-18946 | 1 Microfocus | 1 Solutions Business Manager | 2024-02-04 | 3.8 LOW | 4.8 MEDIUM |
| Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to session fixation. | |||||
| CVE-2020-25198 | 1 Moxa | 2 Nport Iaw5000a-i\/o, Nport Iaw5000a-i\/o Firmware | 2024-02-04 | 6.8 MEDIUM | 8.8 HIGH |
| The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower has incorrectly implemented protections from session fixation, which may allow an attacker to gain access to a session and hijack it by stealing the user’s cookies. | |||||
| CVE-2020-4954 | 1 Ibm | 1 Spectrum Protect Operations Center | 2024-02-04 | 4.8 MEDIUM | 5.4 MEDIUM |
| IBM Spectrum Protect Operations Center 7.1 and 8.1 could allow a remote attacker to bypass authentication restrictions, caused by improper session validation . By using the configuration panel to obtain a valid session using an attacker controlled IBM Spectrum Protect server, an attacker could exploit this vulnerability to bypass authentication and gain access to a limited number of debug functions, such as logging levels. IBM X-Force ID: 192153. | |||||
| CVE-2020-10714 | 2 Netapp, Redhat | 6 Oncommand Insight, Codeready Studio, Descision Manager and 3 more | 2024-02-04 | 5.1 MEDIUM | 7.5 HIGH |
| A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | |||||
| CVE-2020-5654 | 1 Mitsubishielectric | 10 Melsec Iq-rd81dl96, Melsec Iq-rd81dl96 Firmware, Melsec Iq-rd81mes96n and 7 more | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| Session fixation vulnerability in TCP/IP function included in the firmware of MELSEC iQ-R series (RJ71EIP91 EtherNet/IP Network Interface Module First 2 digits of serial number are '02' or before, RJ71PN92 PROFINET IO Controller Module First 2 digits of serial number are '01' or before, RD81DL96 High Speed Data Logger Module First 2 digits of serial number are '08' or before, RD81MES96N MES Interface Module First 2 digits of serial number are '04' or before, and RD81OPC96 OPC UA Server Module First 2 digits of serial number are '04' or before) allows a remote unauthenticated attacker to stop the network functions of the products via a specially crafted packet. | |||||
| CVE-2020-35229 | 1 Netgear | 4 Gs116e, Gs116e Firmware, Jgs516pe and 1 more | 2024-02-04 | 5.8 MEDIUM | 8.8 HIGH |
| The authentication token required to execute NSDP write requests on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices is not properly invalidated and can be reused until a new token is generated, which allows attackers (with access to network traffic) to effectively gain administrative privileges. | |||||
| CVE-2020-5645 | 1 Mitsubishielectric | 6 Coreos, Gt1450-qlbde, Gt1450-qmbde and 3 more | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| Session fixation vulnerability in TCP/IP function included in the firmware of GT14 Model of GOT 1000 series (GT1455-QTBDE CoreOS version "05.65.00.BD" and earlier, GT1450-QMBDE CoreOS version "05.65.00.BD" and earlier, GT1450-QLBDE CoreOS version "05.65.00.BD" and earlier, GT1455HS-QTBDE CoreOS version "05.65.00.BD" and earlier, and GT1450HS-QMBDE CoreOS version "05.65.00.BD" and earlier) allows a remote unauthenticated attacker to stop the network functions of the products via a specially crafted packet. | |||||
| CVE-2020-4555 | 1 Ibm | 1 Financial Transaction Manager | 2024-02-04 | 5.5 MEDIUM | 5.4 MEDIUM |
| IBM Financial Transaction Manager 3.0.6 and 3.1.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 183328. | |||||
| CVE-2020-15909 | 1 Solarwinds | 1 N-central | 2024-02-04 | 6.8 MEDIUM | 8.8 HIGH |
| SolarWinds N-central through 2020.1 allows session hijacking and requires user interaction or physical access. The N-Central JSESSIONID cookie attribute is not checked against multiple sources such as sourceip, MFA claim, etc. as long as the victim stays logged in within N-Central. To take advantage of this, cookie could be stolen and the JSESSIONID can be captured. On its own this is not a surprising result; low security tools allow the cookie to roam from machine to machine. The JSESSION cookie can then be used on the attackers’ workstation by browsing to the victim’s NCentral server URL and replacing the JSESSIONID attribute value by the captured value. Expected behavior would be to check this against a second source and enforce at least a reauthentication or multi factor request as N-Central is a highly privileged service. | |||||
| CVE-2020-5543 | 1 Mitsubishielectric | 2 Iu1-1m20-d, Iu1-1m20-d Firmware | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier does not properly manage sessions, which allows remote attackers to stop the network functions or execute malware via a specially crafted packet. | |||||
| CVE-2020-4527 | 1 Ibm | 1 Planning Analytics | 2024-02-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| IBM Planning Analytics 2.0 could allow a remote attacker to obtain sensitive information, caused by the failure to set the Secure flag for the session cookie in TLS mode. By intercepting its transmission within an HTTP session, an attacker could exploit this vulnerability to capture the cookie and obtain sensitive information. IBM X-Force ID: 182631. | |||||