Total
280 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-31798 | 1 Nortekcontrol | 2 Emerge E3, Emerge E3 Firmware | 2023-12-10 | N/A | 6.1 MEDIUM |
| Nortek Linear eMerge E3-Series 0.32-07p devices are vulnerable to /card_scan.php?CardFormatNo= XSS with session fixation (via PHPSESSID) when they are chained together. This would allow an attacker to take over an admin account or a user account. | |||||
| CVE-2022-31689 | 1 Vmware | 1 Workspace One Assist | 2023-12-10 | N/A | 9.8 CRITICAL |
| VMware Workspace ONE Assist prior to 22.10 contains a Session fixation vulnerability. A malicious actor who obtains a valid session token may be able to authenticate to the application using that token. | |||||
| CVE-2022-40630 | 1 Tacitine | 4 En6200-prime Quad-100, En6200-prime Quad-100 Firmware, En6200-prime Quad-35 and 1 more | 2023-12-10 | N/A | 9.8 CRITICAL |
| This vulnerability exists in Tacitine Firewall, all versions of EN6200-PRIME QUAD-35 and EN6200-PRIME QUAD-100 between 19.1.1 to 22.20.1 (inclusive), due to improper session management in the Tacitine Firewall web-based management interface. An unauthenticated remote attacker could exploit this vulnerability by sending a specially crafted http request on the targeted device. Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to perform session fixation on the targeted device. | |||||
| CVE-2020-25152 | 1 Bbraun | 2 Datamodule Compactplus, Spacecom | 2023-12-10 | 5.8 MEDIUM | 8.1 HIGH |
| A session fixation vulnerability in the B. Braun Melsungen AG SpaceCom administrative interface Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to hijack web sessions and escalate privileges. | |||||
| CVE-2022-26591 | 1 Fantec | 2 Mwid25-ds, Mwid25-ds Firmware | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| FANTEC GmbH MWiD25-DS Firmware v2.000.030 allows unauthenticated attackers to access and download arbitrary files via a crafted GET request. | |||||
| CVE-2022-27305 | 1 Gibbonedu | 1 Gibbon | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
| Gibbon v23 does not generate a new session ID cookie after a user authenticates, making the application vulnerable to session fixation. | |||||
| CVE-2022-24781 | 1 Geon Project | 1 Geon | 2023-12-10 | 5.5 MEDIUM | 7.1 HIGH |
| Geon is a board game based on solving questions about the Pythagorean Theorem. Malicious users can obtain the uuid from other users, spoof that uuid through the browser console and become co-owners of the target session. This issue is patched in version 1.1.0. No known workaround exists. | |||||
| CVE-2021-38869 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
| IBM QRadar SIEM 7.3, 7.4, and 7.5 in some situations may not automatically log users out after they exceede their idle timeout. IBM X-Force ID: 208341. | |||||
| CVE-2022-24444 | 1 Silverstripe | 1 Silverstripe | 2023-12-10 | 6.4 MEDIUM | 6.5 MEDIUM |
| Silverstripe silverstripe/framework through 4.10 allows Session Fixation. | |||||
| CVE-2022-1849 | 1 Filegator | 1 Filegator | 2023-12-10 | 5.5 MEDIUM | 5.4 MEDIUM |
| Session Fixation in GitHub repository filegator/filegator prior to 7.8.0. | |||||
| CVE-2022-24745 | 1 Shopware | 1 Shopware | 2023-12-10 | 5.8 MEDIUM | 6.5 MEDIUM |
| Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions guest sessions are shared between customers when HTTP cache is enabled. This can lead to inconsistent experiences for guest users. Setups with Varnish are not affected by this issue. This issue has been resolved in version 6.4.8.2. Users unable to upgrade should disable the HTTP Cache. | |||||
| CVE-2021-41246 | 1 Auth0 | 1 Express Openid Connect | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
| Express OpenID Connect is express JS middleware implementing sign on for Express web apps using OpenID Connect. Versions before and including `2.5.1` do not regenerate the session id and session cookie when user logs in. This behavior opens up the application to various session fixation vulnerabilities. Versions `2.5.2` contains a patch for this issue. | |||||
| CVE-2022-22551 | 1 Dell | 1 Emc Appsync | 2023-12-10 | 5.8 MEDIUM | 8.8 HIGH |
| DELL EMC AppSync versions 3.9 to 4.3 use GET request method with sensitive query strings. An Adjacent, unauthenticated attacker could potentially exploit this vulnerability, and hijack the victim session. | |||||
| CVE-2021-42073 | 1 Barrier Project | 1 Barrier | 2023-12-10 | 5.8 MEDIUM | 8.2 HIGH |
| An issue was discovered in Barrier before 2.4.0. An attacker can enter an active session state with the barriers component (aka the server-side implementation of Barrier) simply by supplying a client label that identifies a valid client configuration. This label is "Unnamed" by default but could instead be guessed from hostnames or other publicly available information. In the active session state, an attacker can capture input device events from the server, and also modify the clipboard content on the server. | |||||
| CVE-2021-31745 | 1 Pluck-cms | 1 Pluck | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| Session Fixation vulnerability in login.php in Pluck-CMS Pluck 4.7.15 allows an attacker to sustain unauthorized access to the platform. Because Pluck does not invalidate prior sessions after a password change, access can be sustained even after an administrator performs regular remediation attempts such as resetting their password. | |||||
| CVE-2021-39066 | 1 Ibm | 1 Financial Transaction Manager | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Financial Transaction Manager 3.2.4 does not invalidate session any existing session identifier gives an attacker the opportunity to steal authenticated sessions. IBM X-Force ID: 215040. | |||||
| CVE-2021-20151 | 1 Trendnet | 2 Tew-827dru, Tew-827dru Firmware | 2023-12-10 | 7.5 HIGH | 10.0 CRITICAL |
| Trendnet AC2600 TEW-827DRU version 2.08B01 contains a flaw in the session management for the device. The router's management software manages web sessions based on IP address rather than verifying client cookies/session tokens/etc. This allows an attacker (whether from a different computer, different web browser on the same machine, etc.) to take over an existing session. This does require the attacker to be able to spoof or take over original IP address of the original user's session. | |||||
| CVE-2021-41268 | 1 Sensiolabs | 1 Symfony | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version 5.3.0, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Starting with version 5.3.12, Symfony makes the password part of the signature by default. In that way, when the password changes, then the cookie is not valid anymore. | |||||
| CVE-2021-32676 | 1 Nextcloud | 1 Talk | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| Nextcloud Talk is a fully on-premises audio/video and chat communication service. Password protected shared chats in Talk before version 9.0.10, 10.0.8 and 11.2.2 did not rotate the session cookie after a successful authentication event. It is recommended that the Nextcloud Talk App is upgraded to 9.0.10, 10.0.8 or 11.2.2. No workarounds for this vulnerability are known to exist. | |||||
| CVE-2021-35948 | 1 Owncloud | 1 Owncloud | 2023-12-10 | 5.8 MEDIUM | 5.4 MEDIUM |
| Session fixation on password protected public links in the ownCloud Server before 10.8.0 allows an attacker to bypass the password protection when they can force a target client to use a controlled cookie. | |||||