| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. |
| An issue was discovered in BACKCLICK Professional 5.9.63. Due to an unsafe implementation of session tracking, it is possible for an attacker to trick users into opening an authenticated user session for a session identifier known to the attacker, aka Session Fixation. |
| An issue was discovered in Appalti & Contratti 9.12.2. It allows Session Fixation. When a user logs in providing a JSESSIONID cookie that is issued by the server at the first visit, the cookie value is not updated after a successful login. |
| Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions guest sessions are shared between customers when HTTP cache is enabled. This can lead to inconsistent experiences for guest users. Setups with Varnish are not affected by this issue. This issue has been resolved in version 6.4.8.2. Users unable to upgrade should disable the HTTP Cache. |
| Geon is a board game based on solving questions about the Pythagorean Theorem. Malicious users can obtain the uuid from other users, spoof that uuid through the browser console and become co-owners of the target session. This issue is patched in version 1.1.0. No known workaround exists. |
| This vulnerability exists in Meon KYC solutions due to improper handling of access and refresh tokens in certain API endpoints of authentication process. A remote attacker could exploit this vulnerability by intercepting and manipulating the responses through API request body leading to unauthorized access of other user accounts. |
| Nortek Linear eMerge E3-Series 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e were discovered to contain a cross-site scripting (XSS) vulnerability which is chained with a local session fixation. This vulnerability allows attackers to escalate privileges via unspecified vectors. |
| Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session hijacking attack. |
| Improper session management in Elber REBLE310 Firmware v5.5.1.R , Equipment Model: REBLE310/RX10/4ASI allows attackers to execute a session hijacking attack. |
| Nextcloud Server before 11.0.3 is vulnerable to an improper session handling allowed an application specific password without permission to the files access to the users file. |
| ubuntu-image 1.0 before 2017-07-07, when invoked as non-root, creates files in the resulting image with the uid of the invoking user. When the resulting image is booted, a local attacker with the same uid as the image creator has unintended access to cloud-init and snapd directories. |
| IBM Financial Transaction Manager 3.0.1 and 3.0.2 does not properly update the SESSIONID with each request, which could allow a user to obtain the ID in further attacks against the system. IBM X-Force ID: 122293. |
| A Session Fixation Vulnerability exists in the MT4 Networks SenhaSegura Web Application 2.2.23.8 via login_if.php. |
| IBM AppScan Enterprise Edition 9.0 contains an unspecified vulnerability that could allow an attacker to hijack a valid user's session. IBM X-Force ID: 120257 |
| Session fixation vulnerability in Cybozu Garoon 4.0.0 to 4.2.4 allows remote attackers to perform arbitrary operations via unspecified vectors. |
| IBM Jazz Foundation could allow an authenticated user to take over a previously logged in user due to session expiration not being enforced. |
| Session Side jacking vulnerability in the server in McAfee Network Data Loss Prevention (NDLP) 9.3.x allows remote authenticated users to view, add, and remove users via modification of the HTTP request. |
| In Sophos Web Appliance (SWA) before 4.3.1.2, Session Fixation could occur, aka NSWA-1310. |
| Tivoli Storage Manager Operations Center could allow a local user to take over a previously logged in user due to session expiration not being enforced. |
| An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 & v3.0.0 - v3.11.0, and UAA bosh release v26 & earlier versions. UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers. |
