Total
291 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-3783 | 1 Cloudfoundry | 1 Stratos | 2020-10-19 | 4.0 MEDIUM | 8.8 HIGH |
| Cloud Foundry Stratos, versions prior to 2.3.0, deploys with a public default session store secret. A malicious user with default session store secret can brute force another user's current Stratos session, and act on behalf of that user. | |||||
| CVE-1999-0428 | 1 Openssl | 1 Openssl | 2020-10-13 | 7.5 HIGH | N/A |
| OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls. | |||||
| CVE-2019-6584 | 1 Siemens | 2 Logo\!8, Logo\!8 Firmware | 2020-09-29 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability has been identified in SIEMENS LOGO!8 (6ED1052-xyyxx-0BA8 FS:01 to FS:06 / Firmware version V1.80.xx and V1.81.xx), SIEMENS LOGO!8 (6ED1052-xyy08-0BA0 FS:01 / Firmware version < V1.82.02). The integrated webserver does not invalidate the Session ID upon user logout. An attacker that successfully extracted a valid Session ID is able to use it even after the user logs out. The security vulnerability could be exploited by an attacker in a privileged network position who is able to read the communication between the affected device and the user or by an attacker who is able to obtain valid Session IDs through other means. The user must invoke a session to the affected device. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||
| CVE-2020-11728 | 2 Davical, Debian | 2 Andrew\'s Web Libraries, Debian Linux | 2020-09-28 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Session management does not use a sufficiently hard-to-guess session key. Anyone who can guess the microsecond time (and the incrementing session_id) can impersonate a session. | |||||
| CVE-2020-6302 | 1 Sap | 1 Commerce | 2020-09-10 | 7.5 HIGH | 8.1 HIGH |
| SAP Commerce versions 6.7, 1808, 1811, 1905, 2005 contains the jSession ID in the backoffice URL when the application is loaded initially. An attacker can get this session ID via shoulder surfing or man in the middle attack and subsequently get access to admin user accounts, leading to Session Fixation and complete compromise of the confidentiality, integrity and availability of the application. | |||||
| CVE-2019-18573 | 1 Dell | 1 Rsa Identity Governance And Lifecycle | 2020-08-31 | 6.8 MEDIUM | 8.8 HIGH |
| The RSA Identity Governance and Lifecycle and RSA Via Lifecycle and Governance products prior to 7.1.1 P03 contain a Session Fixation vulnerability. An authenticated malicious local user could potentially exploit this vulnerability as the session token is exposed as part of the URL. A remote attacker can gain access to victim’s session and perform arbitrary actions with privileges of the user within the compromised session. | |||||
| CVE-2019-8116 | 1 Magento | 1 Magento | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can leverage a guest session id value following a successful login to gain access to customer account index page. | |||||
| CVE-2020-11729 | 2 Davical, Debian | 2 Andrew\'s Web Libraries, Debian Linux | 2020-08-18 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Long-term session cookies, uses to provide long-term session continuity, are not generated securely, enabling a brute-force attack that may be successful. | |||||
| CVE-2020-4243 | 1 Ibm | 1 Security Identity Governance And Intelligence | 2020-08-06 | 4.3 MEDIUM | 3.7 LOW |
| IBM Security Identity Governance and Intelligence 5.2.6 Virtual Appliance could allow a remote attacker to obtain sensitive information using man in the middle techniques due to not properly invalidating session tokens. IBM X-Force ID: 175420. | |||||
| CVE-2019-0102 | 1 Intel | 1 Data Center Manager | 2020-07-28 | 5.8 MEDIUM | 8.8 HIGH |
| Insufficient session authentication in web server for Intel(R) Data Center Manager SDK before version 5.0.2 may allow an unauthenticated user to potentially enable escalation of privilege via network access. | |||||
| CVE-2020-4527 | 1 Ibm | 1 Planning Analytics | 2020-07-22 | 4.3 MEDIUM | 5.9 MEDIUM |
| IBM Planning Analytics 2.0 could allow a remote attacker to obtain sensitive information, caused by the failure to set the Secure flag for the session cookie in TLS mode. By intercepting its transmission within an HTTP session, an attacker could exploit this vulnerability to capture the cookie and obtain sensitive information. IBM X-Force ID: 182631. | |||||
| CVE-2020-6290 | 1 Sap | 1 Disclosure Management | 2020-07-14 | 6.8 MEDIUM | 6.3 MEDIUM |
| SAP Disclosure Management, version 10.1, is vulnerable to Session Fixation attacks wherein the attacker tricks the user into using a specific session ID. | |||||
| CVE-2020-5596 | 1 Mitsubishielectric | 4 Coreos, Got2000 Gt23, Got2000 Gt25 and 1 more | 2020-07-14 | 5.0 MEDIUM | 7.5 HIGH |
| TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) does not properly manage sessions, which may allow a remote attacker to stop the network functions of the products or execute a malicious program via a specially crafted packet. | |||||
| CVE-2019-4591 | 1 Ibm | 1 Maximo Asset Management | 2020-07-14 | 4.6 MEDIUM | 7.8 HIGH |
| IBM Maximo Asset Management 7.6.0 and 7.6.1 does not invalidate session after logout which could allow a local user to impersonate another user on the system. IBM X-Force ID: 167451. | |||||
| CVE-2020-15018 | 1 Playsms | 1 Playsms | 2020-07-08 | 6.4 MEDIUM | 6.5 MEDIUM |
| playSMS through 1.4.3 is vulnerable to session fixation. | |||||
| CVE-2019-19610 | 1 Halvotec | 1 Raquest | 2020-06-25 | 5.8 MEDIUM | 5.4 MEDIUM |
| An issue was discovered in Halvotec RaQuest 10.23.10801.0. It allows session fixation. Fixed in Release 24.2020.20608.0. | |||||
| CVE-2020-4229 | 1 Ibm | 1 Mobile Foundation | 2020-06-10 | 7.5 HIGH | 7.3 HIGH |
| IBM Worklight/MobileFoundation 8.0.0.0 does not properly invalidate session cookies when a user logs out of a session, which could allow another user to gain unauthorized access to a user's session. IBM X-Force ID: 175211. | |||||
| CVE-2020-13229 | 1 Sysax | 1 Multi Server | 2020-06-02 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Sysax Multi Server 6.90. A session can be hijacked if one observes the sid value in any /scgi URI, because it is an authentication token. | |||||
| CVE-2020-12258 | 1 Rconfig | 1 Rconfig | 2020-05-19 | 6.4 MEDIUM | 9.1 CRITICAL |
| rConfig 3.9.4 is vulnerable to session fixation because session expiry and randomization are mishandled. The application can reuse a session via PHPSESSID. Also, an attacker can exploit this vulnerability in conjunction with CVE-2020-12256 or CVE-2020-12259. | |||||
| CVE-2020-1993 | 1 Paloaltonetworks | 1 Pan-os | 2020-05-15 | 5.5 MEDIUM | 5.4 MEDIUM |
| The GlobalProtect Portal feature in PAN-OS does not set a new session identifier after a successful user login, which allows session fixation attacks, if an attacker is able to control a user's session ID. This issue affects: All PAN-OS 7.1 and 8.0 versions; PAN-OS 8.1 versions earlier than 8.1.14; PAN-OS 9.0 versions earlier than 9.0.8. | |||||