Total
314 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2022-46480 | 1 U-tec | 2 Ultraloq Ul3 Bt, Ultraloq Ul3 Bt Firmware | 2024-08-03 | 8.1 High |
Incorrect Session Management and Credential Re-use in the Bluetooth LE stack of the Ultraloq UL3 2nd Gen Smart Lock Firmware 02.27.0012 allows an attacker to sniff the unlock code and unlock the device whilst within Bluetooth range. | ||||
CVE-2022-44788 | 1 Maggioli | 1 Appalti \& Contratti | 2024-08-03 | 6.5 Medium |
An issue was discovered in Appalti & Contratti 9.12.2. It allows Session Fixation. When a user logs in providing a JSESSIONID cookie that is issued by the server at the first visit, the cookie value is not updated after a successful login. | ||||
CVE-2022-44017 | 1 Simmeth | 1 Lieferantenmanager | 2024-08-03 | 7.5 High |
An issue was discovered in Simmeth Lieferantenmanager before 5.6. Due to errors in session management, an attacker can log back into a victim's account after the victim logged out - /LMS/LM/#main can be used for this. This is due to the credentials not being cleaned from the local storage after logout. | ||||
CVE-2022-44007 | 1 Backclick | 1 Backclick | 2024-08-03 | 8.8 High |
An issue was discovered in BACKCLICK Professional 5.9.63. Due to an unsafe implementation of session tracking, it is possible for an attacker to trick users into opening an authenticated user session for a session identifier known to the attacker, aka Session Fixation. | ||||
CVE-2022-43687 | 1 Concretecms | 1 Concrete Cms | 2024-08-03 | 5.4 Medium |
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | ||||
CVE-2022-43529 | 1 Arubanetworks | 1 Aruba Edgeconnect Enterprise Orchestrator | 2024-08-03 | 4.6 Medium |
A vulnerability in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an remote attacker to persist a session after a password reset or similar session clearing event. Successful exploitation of this vulnerability could allow an authenticated attacker to remain on the system with the permissions of their current session after the session should be invalidated in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators - Orchestrator 9.2.1.40179 and below, - Orchestrator 9.1.4.40436 and below, - Orchestrator 9.0.7.40110 and below, - Orchestrator 8.10.23.40015 and below, - Any older branches of Orchestrator not specifically mentioned. | ||||
CVE-2022-43398 | 1 Siemens | 4 7kg9501-0aa01-2aa1, 7kg9501-0aa01-2aa1 Firmware, 7kg9501-0aa31-2aa1 and 1 more | 2024-08-03 | 7.5 High |
A vulnerability has been identified in POWER METER SICAM Q100 (All versions < V2.50), POWER METER SICAM Q100 (All versions < V2.50), POWER METER SICAM Q100 (All versions < V2.50), POWER METER SICAM Q100 (All versions < V2.50). Affected devices do not renew the session cookie after login/logout and also accept user defined session cookies. An attacker could overwrite the stored session cookie of a user. After the victim logged in, the attacker is given access to the user's account through the activated session. | ||||
CVE-2022-40293 | 1 Phppointofsale | 1 Php Point Of Sale | 2024-08-03 | 9.8 Critical |
The application was vulnerable to a session fixation that could be used hijack accounts. | ||||
CVE-2022-40226 | 1 Siemens | 72 7kg8500-0aa00-0aa0, 7kg8500-0aa00-0aa0 Firmware, 7kg8500-0aa00-2aa0 and 69 more | 2024-08-03 | 7.5 High |
A vulnerability has been identified in SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10). Affected devices accept user defined session cookies and do not renew the session cookie after login/logout. This could allow an attacker to take over another user's session after login. | ||||
CVE-2022-38628 | 1 Niceforyou | 2 Linear Emerge E3 Access Control, Linear Emerge E3 Access Control Firmware | 2024-08-03 | 6.1 Medium |
Nortek Linear eMerge E3-Series 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e were discovered to contain a cross-site scripting (XSS) vulnerability which is chained with a local session fixation. This vulnerability allows attackers to escalate privileges via unspecified vectors. | ||||
CVE-2022-38369 | 1 Apache | 1 Iotdb | 2024-08-03 | 8.8 High |
Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should upgrade to version 0.13.1 which addresses this issue. | ||||
CVE-2022-38054 | 1 Apache | 1 Airflow | 2024-08-03 | 9.8 Critical |
In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation. | ||||
CVE-2022-36437 | 2 Hazelcast, Redhat | 3 Hazelcast, Hazelcast-jet, Jboss Fuse | 2024-08-03 | 9.1 Critical |
The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3. | ||||
CVE-2022-34536 | 1 Dw | 2 Megapix, Megapix Firmware | 2024-08-03 | 7.5 High |
Digital Watchdog DW MEGApix IP cameras A7.2.2_20211029 allows attackers to access the core log file and perform session hijacking via a crafted session token. | ||||
CVE-2022-31798 | 1 Nortekcontrol | 2 Emerge E3, Emerge E3 Firmware | 2024-08-03 | 6.1 Medium |
Nortek Linear eMerge E3-Series 0.32-07p devices are vulnerable to /card_scan.php?CardFormatNo= XSS with session fixation (via PHPSESSID) when they are chained together. This would allow an attacker to take over an admin account or a user account. | ||||
CVE-2022-31888 | 1 Enhancesoft | 1 Osticket | 2024-08-03 | 8.8 High |
Session Fixation vulnerability in in function login in class.auth.php in osTicket through 1.16.2. | ||||
CVE-2022-31689 | 1 Vmware | 1 Workspace One Assist | 2024-08-03 | 9.8 Critical |
VMware Workspace ONE Assist prior to 22.10 contains a Session fixation vulnerability. A malicious actor who obtains a valid session token may be able to authenticate to the application using that token. | ||||
CVE-2022-30769 | 1 Zoneminder | 1 Zoneminder | 2024-08-03 | 4.6 Medium |
Session fixation exists in ZoneMinder through 1.36.12 as an attacker can poison a session cookie to the next logged-in user. | ||||
CVE-2022-27305 | 1 Gibbonedu | 1 Gibbon | 2024-08-03 | 8.8 High |
Gibbon v23 does not generate a new session ID cookie after a user authenticates, making the application vulnerable to session fixation. | ||||
CVE-2022-26591 | 1 Fantec | 2 Mwid25-ds, Mwid25-ds Firmware | 2024-08-03 | 7.5 High |
FANTEC GmbH MWiD25-DS Firmware v2.000.030 allows unauthenticated attackers to access and download arbitrary files via a crafted GET request. |