Total
323 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-1000602 | 1 Jenkins | 1 Saml | 2024-09-16 | N/A |
| A session fixation vulnerability exists in Jenkins SAML Plugin 1.0.6 and earlier in SamlSecurityRealm.java that allows unauthorized attackers to impersonate another users if they can control the pre-authentication session. | ||||
| CVE-2019-18946 | 1 Microfocus | 1 Solutions Business Manager | 2024-09-16 | 4.8 Medium |
| Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to session fixation. | ||||
| CVE-2018-1375 | 1 Ibm | 1 Security Guardium Big Data Intelligence | 2024-09-16 | N/A |
| IBM Security Guardium Big Data Intelligence (SonarG) 3.1 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability. This could force a user to utilize a cookie that may be known to an attacker. IBM X-Force ID: 137776. | ||||
| CVE-2020-4291 | 1 Ibm | 1 Security Information Queue | 2024-09-16 | 4.3 Medium |
| IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could disclose sensitive information to an unauthorized user due to insufficient timeout functionality in the Web UI. IBM X-Force ID: 176334. | ||||
| CVE-2020-4243 | 1 Ibm | 1 Security Identity Governance And Intelligence | 2024-09-16 | 3.7 Low |
| IBM Security Identity Governance and Intelligence 5.2.6 Virtual Appliance could allow a remote attacker to obtain sensitive information using man in the middle techniques due to not properly invalidating session tokens. IBM X-Force ID: 175420. | ||||
| CVE-2017-15304 | 1 Airtame | 2 Hdmi Dongle, Hdmi Dongle Firmware | 2024-09-16 | N/A |
| /bin/login.php in the Web Panel on the Airtame HDMI dongle with firmware before 3.0 allows an attacker to set his own session id via a "Cookie: PHPSESSID=" header. This can be used to achieve persistent access to the admin panel even after an admin password change. | ||||
| CVE-2018-1480 | 1 Ibm | 1 Bigfix Platform | 2024-09-16 | N/A |
| IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 does not set the 'HttpOnly' attribute on authorization tokens or session cookies. If a Cross-Site Scripting vulnerability also existed attackers may be able to get the cookie values via malicious JavaScript and then hijack the user session. IBM X-Force ID: 140762. | ||||
| CVE-2019-18573 | 1 Dell | 1 Rsa Identity Governance And Lifecycle | 2024-09-16 | 8.8 High |
| The RSA Identity Governance and Lifecycle and RSA Via Lifecycle and Governance products prior to 7.1.1 P03 contain a Session Fixation vulnerability. An authenticated malicious local user could potentially exploit this vulnerability as the session token is exposed as part of the URL. A remote attacker can gain access to victim’s session and perform arbitrary actions with privileges of the user within the compromised session. | ||||
| CVE-2022-22681 | 1 Synology | 1 Photo Station | 2024-09-16 | 8.1 High |
| Session fixation vulnerability in access control management in Synology Photo Station before 6.8.16-3506 allows remote attackers to bypass security constraint via unspecified vectors. | ||||
| CVE-2024-45368 | 1 Automationdirect | 1 H2-dm1e Firmware | 2024-09-14 | 8.8 High |
| The H2-DM1E PLC's authentication protocol appears to utilize either a custom encoding scheme or a challenge-response protocol. However, there's an observed anomaly in the H2-DM1E PLC's protocol execution, namely its acceptance of multiple distinct packets as valid authentication responses. This behavior deviates from standard security practices where a single, specific response or encoding pattern is expected for successful authentication. | ||||
| CVE-2024-42345 | 1 Siemens | 1 Sinema Remote Connect Server | 2024-09-10 | 4.3 Medium |
| A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP2). The affected application does not properly handle user session establishment and invalidation. This could allow a remote attacker to circumvent the additional multi factor authentication for user session establishment. | ||||
| CVE-2023-45718 | 1 Hcltech | 1 Sametime | 2024-09-05 | 3.9 Low |
| Sametime is impacted by a failure to invalidate sessions. The application is setting sensitive cookie values in a persistent manner in Sametime Web clients. When this happens, cookie values can remain valid even after a user has closed out their session. | ||||
| CVE-2023-5309 | 1 Puppet | 1 Puppet Enterprise | 2024-09-04 | 6.8 Medium |
| Versions of Puppet Enterprise prior to 2021.7.6 and 2023.5 contain a flaw which results in broken session management for SAML implementations. | ||||
| CVE-2024-31221 | 2024-09-03 | 5.9 Medium | ||
| Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.10.0 and prior to version 0.23.0, after unpairing all devices in the web UI interface and then pairing only one device, all of the previously devices will be temporarily paired. Version 0.23.0 contains a patch for the issue. As a workaround, restarting Sunshine after unpairing all devices prevents the vulnerability. | ||||
| CVE-2023-46733 | 1 Sensiolabs | 1 Symfony | 2024-09-03 | 6.5 Medium |
| Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, `SessionStrategyListener` does not migrate the session after every successful login. It does so only in case the logged in user changes by means of checking the user identifier. In some use cases, the user identifier doesn't change between the verification phase and the successful login, while the token itself changes from one type (partially-authenticated) to another (fully-authenticated). When this happens, the session id should be regenerated to prevent possible session fixations, which is not the case at the moment. As of versions 5.4.31 and 6.3.8, Symfony now checks the type of the token in addition to the user identifier before deciding whether the session id should be regenerated. | ||||
| CVE-2023-50270 | 2024-08-29 | 6.5 Medium | ||
| Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change. Users are recommended to upgrade to version 3.2.1, which fixes this issue. | ||||
| CVE-2023-38018 | 1 Ibm | 1 Aspera Shares | 2024-08-29 | 6.3 Medium |
| IBM Aspera Shares 1.10.0 PL2 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 260574. | ||||
| CVE-2024-22250 | 2024-08-27 | 7.8 High | ||
| Session Hijack vulnerability in Deprecated VMware Enhanced Authentication Plug-in could allow a malicious actor with unprivileged local access to a windows operating system can hijack a privileged EAP session when initiated by a privileged domain user on the same system. | ||||
| CVE-2024-2639 | 2024-08-12 | 4.3 Medium | ||
| A vulnerability was found in Bdtask Wholesale Inventory Management System up to 20240311. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to session fixiation. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257245 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2020-8826 | 1 Argoproj | 1 Argo Cd | 2024-08-07 | 7.5 High |
| As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication tokens, once issued, were usable forever without expiration—there was no refresh or forced re-authentication. | ||||