Total
280 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2017-14263 | 1 Honeywell | 14 Enterprise Dvr, Enterprise Dvr Firmware, Fusion Iv Rev C and 11 more | 2023-12-10 | 9.3 HIGH | 8.1 HIGH |
Honeywell NVR devices allow remote attackers to create a user account in the admin group by leveraging access to a guest account to obtain a session ID, and then sending that session ID in a userManager.addUser request to the /RPC2 URI. The attacker can login to the device with that new user account to fully control the device. | |||||
CVE-2017-0892 | 1 Nextcloud | 1 Nextcloud Server | 2023-12-10 | 4.3 MEDIUM | 3.5 LOW |
Nextcloud Server before 11.0.3 is vulnerable to an improper session handling allowed an application specific password without permission to the files access to the users file. | |||||
CVE-2016-0721 | 3 Clusterlabs, Fedoraproject, Redhat | 3 Pcs, Fedora, Enterprise Linux | 2023-12-10 | 4.3 MEDIUM | 8.1 HIGH |
Session fixation vulnerability in pcsd in pcs before 0.9.157. | |||||
CVE-2017-5831 | 1 Revive-adserver | 1 Revive Adserver | 2023-12-10 | 5.5 MEDIUM | 5.9 MEDIUM |
Session fixation vulnerability in the forgot password mechanism in Revive Adserver before 4.0.1, when setting a new password, allows remote attackers to hijack web sessions via the session ID. | |||||
CVE-2017-6412 | 1 Sophos | 1 Web Appliance | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
In Sophos Web Appliance (SWA) before 4.3.1.2, Session Fixation could occur, aka NSWA-1310. | |||||
CVE-2015-4594 | 1 Eclinicalworks | 1 Population Health | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
eClinicalWorks Population Health (CCMR) suffers from a session fixation vulnerability. When authenticating a user, the application does not assign a new session ID, making it possible to use an existent session ID. | |||||
CVE-2017-5141 | 1 Honeywell | 1 Xl Web Ii Controller | 2023-12-10 | 6.5 MEDIUM | 6.0 MEDIUM |
An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior. An attacker can establish a new user session, without invalidating any existing session identifier, which gives the opportunity to steal authenticated sessions (SESSION FIXATION). | |||||
CVE-2016-6043 | 1 Ibm | 1 Tivoli Storage Manager | 2023-12-10 | 4.4 MEDIUM | 7.0 HIGH |
Tivoli Storage Manager Operations Center could allow a local user to take over a previously logged in user due to session expiration not being enforced. | |||||
CVE-2017-5656 | 1 Apache | 1 Cxf | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user. | |||||
CVE-2016-6040 | 1 Ibm | 1 Rational Collaborative Lifecycle Management | 2023-12-10 | 6.0 MEDIUM | 5.0 MEDIUM |
IBM Jazz Foundation could allow an authenticated user to take over a previously logged in user due to session expiration not being enforced. | |||||
CVE-2017-1152 | 1 Ibm | 1 Financial Transaction Manager | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
IBM Financial Transaction Manager 3.0.1 and 3.0.2 does not properly update the SESSIONID with each request, which could allow a user to obtain the ID in further attacks against the system. IBM X-Force ID: 122293. | |||||
CVE-2016-9703 | 1 Ibm | 1 Security Identity Manager Virtual Appliance | 2023-12-10 | 2.1 LOW | 2.4 LOW |
IBM Security Identity Manager Virtual Appliance does not invalidate session tokens which could allow an unauthorized user with physical access to the work station to obtain sensitive information. | |||||
CVE-2016-10205 | 1 Zoneminder | 1 Zoneminder | 2023-12-10 | 7.5 HIGH | 7.3 HIGH |
Session fixation vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack web sessions via the ZMSESSID cookie. | |||||
CVE-2017-4014 | 1 Mcafee | 1 Network Data Loss Prevention | 2023-12-10 | 6.0 MEDIUM | 8.0 HIGH |
Session Side jacking vulnerability in the server in McAfee Network Data Loss Prevention (NDLP) 9.3.x allows remote authenticated users to view, add, and remove users via modification of the HTTP request. | |||||
CVE-2016-9125 | 1 Revive-adserver | 1 Revive Adserver | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Revive Adserver before 3.2.3 suffers from session fixation, by allowing arbitrary session identifiers to be forced and, at the same time, by not invalidating the existing session upon a successful authentication. Under some circumstances, that could have been an opportunity for an attacker to steal an authenticated session. | |||||
CVE-2014-4789 | 1 Ibm | 1 Initiate Master Data Service | 2023-12-10 | 6.8 MEDIUM | N/A |
Session fixation vulnerability in IBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 allows remote attackers to hijack web sessions via unspecified vectors. | |||||
CVE-2008-3222 | 2 Drupal, Fedoraproject | 2 Drupal, Fedora | 2023-12-10 | 5.8 MEDIUM | N/A |
Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessions via unknown vectors. | |||||
CVE-2007-4188 | 1 Joomla | 1 Joomla\! | 2023-12-10 | 9.3 HIGH | N/A |
Session fixation vulnerability in Joomla! before 1.0.13 (aka Sunglow) allows remote attackers to hijack administrative web sessions via unspecified vectors. | |||||
CVE-1999-0428 | 1 Openssl | 1 Openssl | 2023-12-10 | 7.5 HIGH | N/A |
OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls. | |||||
CVE-2001-1534 | 1 Apache | 1 Http Server | 2023-12-10 | 2.1 LOW | N/A |
mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication. |