Total
291 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-34536 | 1 Dw | 2 Megapix, Megapix Firmware | 2022-07-26 | N/A | 7.5 HIGH |
| Digital Watchdog DW MEGApix IP cameras A7.2.2_20211029 allows attackers to access the core log file and perform session hijacking via a crafted session token. | |||||
| CVE-2022-22681 | 1 Synology | 1 Photo Station | 2022-07-14 | 5.0 MEDIUM | 7.5 HIGH |
| Session fixation vulnerability in access control management in Synology Photo Station before 6.8.16-3506 allows remote attackers to bypass security constraint via unspecified vectors. | |||||
| CVE-2022-25896 | 1 Passport Project | 1 Passport | 2022-07-13 | 5.8 MEDIUM | 4.8 MEDIUM |
| This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed. | |||||
| CVE-2022-24444 | 1 Silverstripe | 1 Silverstripe | 2022-07-13 | 6.4 MEDIUM | 6.5 MEDIUM |
| Silverstripe silverstripe/framework through 4.10 allows Session Fixation. | |||||
| CVE-2022-27305 | 1 Gibbonedu | 1 Gibbon | 2022-06-08 | 6.8 MEDIUM | 8.8 HIGH |
| Gibbon v23 does not generate a new session ID cookie after a user authenticates, making the application vulnerable to session fixation. | |||||
| CVE-2022-1849 | 1 Filegator | 1 Filegator | 2022-06-03 | 5.5 MEDIUM | 5.4 MEDIUM |
| Session Fixation in GitHub repository filegator/filegator prior to 7.8.0. | |||||
| CVE-2021-38869 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2022-05-04 | 7.5 HIGH | 9.8 CRITICAL |
| IBM QRadar SIEM 7.3, 7.4, and 7.5 in some situations may not automatically log users out after they exceede their idle timeout. IBM X-Force ID: 208341. | |||||
| CVE-2020-25152 | 1 Bbraun | 2 Datamodule Compactplus, Spacecom | 2022-04-21 | 5.8 MEDIUM | 8.1 HIGH |
| A session fixation vulnerability in the B. Braun Melsungen AG SpaceCom administrative interface Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to hijack web sessions and escalate privileges. | |||||
| CVE-2022-24781 | 1 Geon Project | 1 Geon | 2022-03-31 | 5.5 MEDIUM | 7.1 HIGH |
| Geon is a board game based on solving questions about the Pythagorean Theorem. Malicious users can obtain the uuid from other users, spoof that uuid through the browser console and become co-owners of the target session. This issue is patched in version 1.1.0. No known workaround exists. | |||||
| CVE-2022-24745 | 1 Shopware | 1 Shopware | 2022-03-18 | 5.8 MEDIUM | 6.5 MEDIUM |
| Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions guest sessions are shared between customers when HTTP cache is enabled. This can lead to inconsistent experiences for guest users. Setups with Varnish are not affected by this issue. This issue has been resolved in version 6.4.8.2. Users unable to upgrade should disable the HTTP Cache. | |||||
| CVE-2021-39066 | 1 Ibm | 1 Financial Transaction Manager | 2022-02-05 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Financial Transaction Manager 3.2.4 does not invalidate session any existing session identifier gives an attacker the opportunity to steal authenticated sessions. IBM X-Force ID: 215040. | |||||
| CVE-2022-22551 | 1 Dell | 1 Emc Appsync | 2022-01-27 | 5.8 MEDIUM | 8.8 HIGH |
| DELL EMC AppSync versions 3.9 to 4.3 use GET request method with sensitive query strings. An Adjacent, unauthenticated attacker could potentially exploit this vulnerability, and hijack the victim session. | |||||
| CVE-2021-20151 | 1 Trendnet | 2 Tew-827dru, Tew-827dru Firmware | 2022-01-07 | 7.5 HIGH | 10.0 CRITICAL |
| Trendnet AC2600 TEW-827DRU version 2.08B01 contains a flaw in the session management for the device. The router's management software manages web sessions based on IP address rather than verifying client cookies/session tokens/etc. This allows an attacker (whether from a different computer, different web browser on the same machine, etc.) to take over an existing session. This does require the attacker to be able to spoof or take over original IP address of the original user's session. | |||||
| CVE-2021-31745 | 1 Pluck-cms | 1 Pluck | 2021-12-14 | 5.0 MEDIUM | 7.5 HIGH |
| Session Fixation vulnerability in login.php in Pluck-CMS Pluck 4.7.15 allows an attacker to sustain unauthorized access to the platform. Because Pluck does not invalidate prior sessions after a password change, access can be sustained even after an administrator performs regular remediation attempts such as resetting their password. | |||||
| CVE-2021-41246 | 1 Auth0 | 1 Express Openid Connect | 2021-12-14 | 6.8 MEDIUM | 8.8 HIGH |
| Express OpenID Connect is express JS middleware implementing sign on for Express web apps using OpenID Connect. Versions before and including `2.5.1` do not regenerate the session id and session cookie when user logs in. This behavior opens up the application to various session fixation vulnerabilities. Versions `2.5.2` contains a patch for this issue. | |||||
| CVE-2021-41268 | 1 Sensiolabs | 1 Symfony | 2021-11-30 | 6.5 MEDIUM | 8.8 HIGH |
| Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version 5.3.0, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Starting with version 5.3.12, Symfony makes the password part of the signature by default. In that way, when the password changes, then the cookie is not valid anymore. | |||||
| CVE-2007-4188 | 1 Joomla | 1 Joomla\! | 2021-10-01 | 9.3 HIGH | N/A |
| Session fixation vulnerability in Joomla! before 1.0.13 (aka Sunglow) allows remote attackers to hijack administrative web sessions via unspecified vectors. | |||||
| CVE-2021-35948 | 1 Owncloud | 1 Owncloud | 2021-09-15 | 5.8 MEDIUM | 5.4 MEDIUM |
| Session fixation on password protected public links in the ownCloud Server before 10.8.0 allows an attacker to bypass the password protection when they can force a target client to use a controlled cookie. | |||||
| CVE-2021-22237 | 1 Gitlab | 1 Gitlab | 2021-08-31 | 4.0 MEDIUM | 4.9 MEDIUM |
| Under specialized conditions, GitLab may allow a user with an impersonation token to perform Git actions even if impersonation is disabled. This vulnerability is present in GitLab CE/EE versions before 13.12.9, 14.0.7, 14.1.2 | |||||
| CVE-2021-22927 | 1 Citrix | 16 Application Delivery Controller, Application Delivery Controller Firmware, Gateway and 13 more | 2021-08-16 | 5.8 MEDIUM | 8.1 HIGH |
| A session fixation vulnerability exists in Citrix ADC and Citrix Gateway 13.0-82.45 when configured SAML service provider that could allow an attacker to hijack a session. | |||||