Total
334 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-4152 | 1 Ibm | 1 Security Access Manager | 2024-11-21 | 4.4 Medium |
| IBM Security Access Manager 9.0.1 through 9.0.6 does not invalidate session tokens in a timely manner. The lack of proper session expiration may allow attackers with local access to login into a closed browser session. IBM X-Force ID: 158515. | ||||
| CVE-2019-3784 | 1 Cloudfoundry | 1 Stratos | 2024-11-21 | N/A |
| Cloud Foundry Stratos, versions prior to 2.3.0, contains an insecure session that can be spoofed. When deployed on cloud foundry with multiple instances using the default embedded SQLite database, a remote authenticated malicious user can switch sessions to another user with the same session id. | ||||
| CVE-2019-3783 | 1 Cloudfoundry | 1 Stratos | 2024-11-21 | 8.8 High |
| Cloud Foundry Stratos, versions prior to 2.3.0, deploys with a public default session store secret. A malicious user with default session store secret can brute force another user's current Stratos session, and act on behalf of that user. | ||||
| CVE-2019-1807 | 1 Cisco | 1 Umbrella | 2024-11-21 | N/A |
| A vulnerability in the session management functionality of the web UI for the Cisco Umbrella Dashboard could allow an authenticated, remote attacker to access the Dashboard via an active, user session. The vulnerability exists due to the affected application not invalidating an existing session when a user authenticates to the application and changes the users credentials via another authenticated session. An attacker could exploit this vulnerability by using a separate, authenticated, active session to connect to the application through the web UI. A successful exploit could allow the attacker to maintain access to the dashboard via an authenticated user's browser session. Cisco has addressed this vulnerability in the Cisco Umbrella Dashboard. No user action is required. | ||||
| CVE-2019-19610 | 1 Halvotec | 1 Raquest | 2024-11-21 | 5.4 Medium |
| An issue was discovered in Halvotec RaQuest 10.23.10801.0. It allows session fixation. Fixed in Release 24.2020.20608.0. | ||||
| CVE-2019-18946 | 1 Microfocus | 1 Solutions Business Manager | 2024-11-21 | 4.8 Medium |
| Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to session fixation. | ||||
| CVE-2019-18573 | 1 Dell | 1 Rsa Identity Governance And Lifecycle | 2024-11-21 | 8.8 High |
| The RSA Identity Governance and Lifecycle and RSA Via Lifecycle and Governance products prior to 7.1.1 P03 contain a Session Fixation vulnerability. An authenticated malicious local user could potentially exploit this vulnerability as the session token is exposed as part of the URL. A remote attacker can gain access to victim’s session and perform arbitrary actions with privileges of the user within the compromised session. | ||||
| CVE-2019-18418 | 1 Clonos | 1 Clonos | 2024-11-21 | 9.8 Critical |
| clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests because there is no session management. | ||||
| CVE-2019-17563 | 6 Apache, Canonical, Debian and 3 more | 14 Tomcat, Ubuntu Linux, Debian Linux and 11 more | 2024-11-21 | 7.5 High |
| When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability. | ||||
| CVE-2019-17062 | 1 Oxid-esales | 1 Eshop | 2024-11-21 | 8.8 High |
| An issue was discovered in OXID eShop 6.x before 6.0.6 and 6.1.x before 6.1.5, OXID eShop Enterprise Edition Version 5.2.x-5.3.x, OXID eShop Professional Edition Version 4.9.x-4.10.x and OXID eShop Community Edition Version: 4.9.x-4.10.x. By using a specially crafted URL, users with administrative rights could unintentionally grant unauthorized users access to the admin panel via session fixation. | ||||
| CVE-2019-15849 | 1 Eq-3 | 2 Homematic Ccu3, Homematic Ccu3 Firmware | 2024-11-21 | 7.3 High |
| eQ-3 HomeMatic CCU3 firmware 3.41.11 allows session fixation. An attacker can create session IDs and send them to the victim. After the victim logs in to the session, the attacker can use that session. The attacker could create SSH logins after a valid session and easily compromise the system. | ||||
| CVE-2019-15612 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | 5.9 Medium |
| A bug in Nextcloud Server 15.0.2 causes pending 2FA logins to not be correctly expired when the password of the user is reset. | ||||
| CVE-2019-13517 | 1 Bd | 2 Pyxis Enterprise Server, Pyxis Es | 2024-11-21 | N/A |
| In Pyxis ES Versions 1.3.4 through to 1.6.1 and Pyxis Enterprise Server, with Windows Server Versions 4.4 through 4.12, a vulnerability has been identified where existing access privileges are not restricted in coordination with the expiration of access based on active directory user account changes when the device is joined to an AD domain. | ||||
| CVE-2019-12258 | 5 Belden, Netapp, Siemens and 2 more | 50 Garrettcom Magnum Dx940e, Garrettcom Magnum Dx940e Firmware, Hirschmann Dragon Mach4000 and 47 more | 2024-11-21 | 7.5 High |
| Wind River VxWorks 6.6 through vx7 has Session Fixation in the TCP component. This is a IPNET security vulnerability: DoS of TCP connection via malformed TCP options. | ||||
| CVE-2019-12203 | 1 Silverstripe | 1 Silverstripe | 2024-11-21 | 6.3 Medium |
| SilverStripe through 4.3.3 allows session fixation in the "change password" form. | ||||
| CVE-2019-11331 | 1 Ntp | 1 Ntp | 2024-11-21 | N/A |
| Network Time Protocol (NTP), as specified in RFC 5905, uses port 123 even for modes where a fixed port number is not required, which makes it easier for remote attackers to conduct off-path attacks. | ||||
| CVE-2019-11213 | 2 Ivanti, Pulsesecure | 3 Connect Secure, Pulse Connect Secure, Pulse Secure Desktop Client | 2024-11-21 | N/A |
| In Pulse Secure Pulse Desktop Client and Network Connect, an attacker could access session tokens to replay and spoof sessions, and as a result, gain unauthorized access as an end user, a related issue to CVE-2019-1573. (The endpoint would need to be already compromised for exploitation to succeed.) This affects Pulse Desktop Client 5.x before Secure Desktop 5.3R7 and Pulse Desktop Client 9.x before Secure Desktop 9.0R3. It also affects (for Network Connect customers) Pulse Connect Secure 8.1 before 8.1R14, 8.3 before 8.3R7, and 9.0 before 9.0R3. | ||||
| CVE-2019-10371 | 1 Jenkins | 1 Gitlab Oauth | 2024-11-21 | 7.5 High |
| A session fixation vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows unauthorized attackers to impersonate another user if they can control the pre-authentication session. | ||||
| CVE-2019-10158 | 2 Infinispan, Redhat | 2 Infinispan, Jboss Data Grid | 2024-11-21 | 9.8 Critical |
| A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling. | ||||
| CVE-2019-10120 | 1 Eq-3 | 4 Ccu2, Ccu2 Firmware, Ccu3 and 1 more | 2024-11-21 | N/A |
| On eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.16, automatic login configuration (aka setAutoLogin) can be achieved by continuing to use a session ID after a logout, aka HMCCU-154. | ||||