Total
280 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-12619 | 1 Apache | 1 Zeppelin | 2023-12-10 | 5.8 MEDIUM | 8.1 HIGH |
| Apache Zeppelin prior to 0.7.3 was vulnerable to session fixation which allowed an attacker to hijack a valid user session. Issue was reported by "stone lone". | |||||
| CVE-2019-9744 | 1 Phoenixcontact | 8 Fl Nat Smcs 8tx, Fl Nat Smcs 8tx Firmware, Fl Nat Smn 8tx and 5 more | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered on PHOENIX CONTACT FL NAT SMCS 8TX, FL NAT SMN 8TX, FL NAT SMN 8TX-M, and FL NAT SMN 8TX-M-DMG devices. There is unauthorized access to the WEB-UI by attackers arriving from the same source IP address as an authenticated user, because this IP address is used as a session identifier. | |||||
| CVE-2019-1807 | 1 Cisco | 1 Umbrella | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability in the session management functionality of the web UI for the Cisco Umbrella Dashboard could allow an authenticated, remote attacker to access the Dashboard via an active, user session. The vulnerability exists due to the affected application not invalidating an existing session when a user authenticates to the application and changes the users credentials via another authenticated session. An attacker could exploit this vulnerability by using a separate, authenticated, active session to connect to the application through the web UI. A successful exploit could allow the attacker to maintain access to the dashboard via an authenticated user's browser session. Cisco has addressed this vulnerability in the Cisco Umbrella Dashboard. No user action is required. | |||||
| CVE-2019-4439 | 1 Ibm | 1 Cloud Private | 2023-12-10 | 4.6 MEDIUM | 5.3 MEDIUM |
| IBM Cloud Private 3.1.0, 3.1.1, and 3.1.2 does not invalidate session after logout which could allow a local user to impersonate another user on the system. IBM X-Force ID: 162949. | |||||
| CVE-2019-3784 | 1 Cloudfoundry | 1 Stratos | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| Cloud Foundry Stratos, versions prior to 2.3.0, contains an insecure session that can be spoofed. When deployed on cloud foundry with multiple instances using the default embedded SQLite database, a remote authenticated malicious user can switch sessions to another user with the same session id. | |||||
| CVE-2019-10008 | 1 Zohocorp | 1 Servicedesk Plus | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the guest user enters the administrator username, with an arbitrary incorrect password, in an mc/ login attempt within a different browser tab. | |||||
| CVE-2018-8852 | 1 Philips | 1 E-alert Firmware | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
| Philips e-Alert Unit (non-medical device), Version R2.1 and prior. When authenticating a user or otherwise establishing a new user session, the software gives an attacker the opportunity to steal authenticated sessions without invalidating any existing session identifier. | |||||
| CVE-2018-18925 | 1 Gogs | 1 Gogs | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron. | |||||
| CVE-2018-1480 | 1 Ibm | 1 Bigfix Platform | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 does not set the 'HttpOnly' attribute on authorization tokens or session cookies. If a Cross-Site Scripting vulnerability also existed attackers may be able to get the cookie values via malicious JavaScript and then hijack the user session. IBM X-Force ID: 140762. | |||||
| CVE-2018-13337 | 1 Terra-master | 1 Terramaster Operating System | 2023-12-10 | 5.8 MEDIUM | 5.4 MEDIUM |
| Session Fixation in the web application for TerraMaster TOS version 3.1.03 allows attackers to control users' session cookies via JavaScript. | |||||
| CVE-2018-14387 | 1 Wondercms | 1 Wondercms | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in WonderCMS before 2.5.2. An attacker can create a new session on a web application and record the associated session identifier. The attacker then causes the victim to authenticate against the server using the same session identifier. The attacker can access the user's account through the active session. The Session Fixation attack fixes a session on the victim's browser, so the attack starts before the user logs in. | |||||
| CVE-2018-6434 | 1 Broadcom | 1 Fabric Operating System | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability in the web management interface of Brocade Fabric OS versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow attackers to intercept or manipulate a user's session ID. | |||||
| CVE-2018-9082 | 1 Lenovo | 40 Ez Media \& Backup Center, Ez Media \& Backup Center Firmware, Ix2 and 37 more | 2023-12-10 | 4.0 MEDIUM | 8.8 HIGH |
| For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the password changing functionality available to authenticated users does not require the user's current password to set a new one. As a result, attackers with access to the user's session tokens can change their password and retain access to the user's account | |||||
| CVE-2018-19443 | 1 Tryton | 1 Tryton | 2023-12-10 | 4.3 MEDIUM | 5.9 MEDIUM |
| The client in Tryton 5.x before 5.0.1 tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py. This connection attempt fails, but it contains in the header the current session of the user. This session could then be stolen by a man-in-the-middle. | |||||
| CVE-2018-5385 | 1 Navarino | 1 Infinity | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
| Navarino Infinity is prone to session fixation attacks. The server accepts the session ID as a GET parameter which can lead to bypassing the two factor authentication in some installations. This could lead to phishing attacks that can bypass the two factor authentication that is present in some installations. | |||||
| CVE-2016-9574 | 1 Mozilla | 1 Network Security Services | 2023-12-10 | 4.3 MEDIUM | 5.9 MEDIUM |
| nss before version 3.30 is vulnerable to a remote denial of service during the session handshake when using SessionTicket extension and ECDHE-ECDSA. | |||||
| CVE-2019-7350 | 1 Zoneminder | 1 Zoneminder | 2023-12-10 | 4.9 MEDIUM | 7.3 HIGH |
| Session fixation exists in ZoneMinder through 1.32.3, as an attacker can fixate his own session cookies to the next logged-in user, thereby hijacking the victim's account. This occurs because a set of multiple cookies (between 3 and 5) is being generated when a user successfully logs in, and these sets overlap for successive logins. | |||||
| CVE-2018-16463 | 1 Nextcloud | 1 Nextcloud Server | 2023-12-10 | 3.6 LOW | 3.1 LOW |
| A bug causing session fixation in Nextcloud Server prior to 14.0.0, 13.0.3 and 12.0.8 could potentially allow an attacker to obtain access to password protected shares. | |||||
| CVE-2018-1962 | 1 Ibm | 1 Security Identity Manager | 2023-12-10 | 2.1 LOW | 3.3 LOW |
| IBM Security Identity Manager 7.0.1 Virtual Appliance does not invalidate session tokens when the logout button is pressed. The lack of proper session termination may allow attackers with local access to login into a closed browser session. IBM X-Force ID: 153658. | |||||
| CVE-2018-1484 | 1 Ibm | 1 Bigfix Platform | 2023-12-10 | 4.3 MEDIUM | 3.7 LOW |
| IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 140969. | |||||