Total
280 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-24456 | 1 Jenkins | 1 Keycloak Authentication | 2023-12-10 | N/A | 9.8 CRITICAL |
Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login. | |||||
CVE-2023-24424 | 1 Jenkins | 1 Openid Connect Authentication | 2023-12-10 | N/A | 8.8 HIGH |
Jenkins OpenId Connect Authentication Plugin 2.4 and earlier does not invalidate the previous session on login. | |||||
CVE-2022-38628 | 1 Niceforyou | 2 Linear Emerge E3 Access Control, Linear Emerge E3 Access Control Firmware | 2023-12-10 | N/A | 6.1 MEDIUM |
Nortek Linear eMerge E3-Series 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e were discovered to contain a cross-site scripting (XSS) vulnerability which is chained with a local session fixation. This vulnerability allows attackers to escalate privileges via unspecified vectors. | |||||
CVE-2021-29368 | 1 Cuppacms | 1 Cuppacms | 2023-12-10 | N/A | 8.8 HIGH |
Session fixation vulnerability in CuppaCMS thru commit 4c9b742b23b924cf4c1f943f48b278e06a17e297 on November 12, 2019 allows attackers to gain access to arbitrary user sessions. | |||||
CVE-2022-30769 | 1 Zoneminder | 1 Zoneminder | 2023-12-10 | N/A | 4.6 MEDIUM |
Session fixation exists in ZoneMinder through 1.36.12 as an attacker can poison a session cookie to the next logged-in user. | |||||
CVE-2022-40293 | 1 Phppointofsale | 1 Php Point Of Sale | 2023-12-10 | N/A | 9.8 CRITICAL |
The application was vulnerable to a session fixation that could be used hijack accounts. | |||||
CVE-2022-40226 | 1 Siemens | 72 7kg8500-0aa00-0aa0, 7kg8500-0aa00-0aa0 Firmware, 7kg8500-0aa00-2aa0 and 69 more | 2023-12-10 | N/A | 8.1 HIGH |
A vulnerability has been identified in SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10). Affected devices accept user defined session cookies and do not renew the session cookie after login/logout. This could allow an attacker to take over another user's session after login. | |||||
CVE-2022-43687 | 1 Concretecms | 1 Concrete Cms | 2023-12-10 | N/A | 5.4 MEDIUM |
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | |||||
CVE-2022-33927 | 1 Dell | 1 Wyse Management Suite | 2023-12-10 | N/A | 6.5 MEDIUM |
Dell Wyse Management Suite 3.6.1 and below contains a Session Fixation vulnerability. A unauthenticated attacker could exploit this by taking advantage of a user with multiple active sessions in order to hijack a user's session. | |||||
CVE-2022-25896 | 1 Passport Project | 1 Passport | 2023-12-10 | 5.8 MEDIUM | 4.8 MEDIUM |
This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed. | |||||
CVE-2022-38054 | 1 Apache | 1 Airflow | 2023-12-10 | N/A | 9.8 CRITICAL |
In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation. | |||||
CVE-2022-34536 | 1 Dw | 2 Megapix, Megapix Firmware | 2023-12-10 | N/A | 7.5 HIGH |
Digital Watchdog DW MEGApix IP cameras A7.2.2_20211029 allows attackers to access the core log file and perform session hijacking via a crafted session token. | |||||
CVE-2022-30605 | 1 Wwbn | 1 Avideo | 2023-12-10 | N/A | 8.8 HIGH |
A privilege escalation vulnerability exists in the session id functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to increased privileges. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability. | |||||
CVE-2021-46279 | 1 Lannerinc | 2 Iac-ast2500a, Iac-ast2500a Firmware | 2023-12-10 | N/A | 8.8 HIGH |
Session fixation and insufficient session expiration vulnerabilities allow an attacker to perfom session hijacking attacks against users. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0. | |||||
CVE-2022-3269 | 1 Ikus-soft | 1 Rdiffweb | 2023-12-10 | N/A | 9.8 CRITICAL |
Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7. | |||||
CVE-2022-38369 | 1 Apache | 1 Iotdb | 2023-12-10 | N/A | 8.8 HIGH |
Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should upgrade to version 0.13.1 which addresses this issue. | |||||
CVE-2022-22681 | 1 Synology | 1 Photo Station | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Session fixation vulnerability in access control management in Synology Photo Station before 6.8.16-3506 allows remote attackers to bypass security constraint via unspecified vectors. | |||||
CVE-2022-44007 | 1 Backclick | 1 Backclick | 2023-12-10 | N/A | 8.8 HIGH |
An issue was discovered in BACKCLICK Professional 5.9.63. Due to an unsafe implementation of session tracking, it is possible for an attacker to trick users into opening an authenticated user session for a session identifier known to the attacker, aka Session Fixation. | |||||
CVE-2022-34334 | 1 Ibm | 1 Sterling Partner Engagement Manager | 2023-12-10 | N/A | 6.5 MEDIUM |
IBM Sterling Partner Engagement Manager 2.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 229704. | |||||
CVE-2022-2997 | 1 Snipeitapp | 1 Snipe-it | 2023-12-10 | N/A | 8.0 HIGH |
Session Fixation in GitHub repository snipe/snipe-it prior to 6.0.10. |