Total
334 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-3269 | 1 Ikus-soft | 1 Rdiffweb | 2024-11-21 | 9.8 Critical |
| Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7. | ||||
| CVE-2022-38628 | 1 Niceforyou | 2 Linear Emerge E3 Access Control, Linear Emerge E3 Access Control Firmware | 2024-11-21 | 6.1 Medium |
| Nortek Linear eMerge E3-Series 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e were discovered to contain a cross-site scripting (XSS) vulnerability which is chained with a local session fixation. This vulnerability allows attackers to escalate privileges via unspecified vectors. | ||||
| CVE-2022-38369 | 1 Apache | 1 Iotdb | 2024-11-21 | 8.8 High |
| Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should upgrade to version 0.13.1 which addresses this issue. | ||||
| CVE-2022-38054 | 1 Apache | 1 Airflow | 2024-11-21 | 9.8 Critical |
| In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation. | ||||
| CVE-2022-36437 | 2 Hazelcast, Redhat | 3 Hazelcast, Hazelcast-jet, Jboss Fuse | 2024-11-21 | 9.1 Critical |
| The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3. | ||||
| CVE-2022-34536 | 1 Dw | 2 Megapix, Megapix Firmware | 2024-11-21 | 7.5 High |
| Digital Watchdog DW MEGApix IP cameras A7.2.2_20211029 allows attackers to access the core log file and perform session hijacking via a crafted session token. | ||||
| CVE-2022-34334 | 1 Ibm | 1 Sterling Partner Engagement Manager | 2024-11-21 | 6.5 Medium |
| IBM Sterling Partner Engagement Manager 2.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 229704. | ||||
| CVE-2022-33927 | 1 Dell | 1 Wyse Management Suite | 2024-11-21 | 5.4 Medium |
| Dell Wyse Management Suite 3.6.1 and below contains a Session Fixation vulnerability. A unauthenticated attacker could exploit this by taking advantage of a user with multiple active sessions in order to hijack a user's session. | ||||
| CVE-2022-31888 | 1 Enhancesoft | 1 Osticket | 2024-11-21 | 8.8 High |
| Session Fixation vulnerability in in function login in class.auth.php in osTicket through 1.16.2. | ||||
| CVE-2022-31798 | 1 Nortekcontrol | 2 Emerge E3, Emerge E3 Firmware | 2024-11-21 | 6.1 Medium |
| Nortek Linear eMerge E3-Series 0.32-07p devices are vulnerable to /card_scan.php?CardFormatNo= XSS with session fixation (via PHPSESSID) when they are chained together. This would allow an attacker to take over an admin account or a user account. | ||||
| CVE-2022-31689 | 1 Vmware | 1 Workspace One Assist | 2024-11-21 | 9.8 Critical |
| VMware Workspace ONE Assist prior to 22.10 contains a Session fixation vulnerability. A malicious actor who obtains a valid session token may be able to authenticate to the application using that token. | ||||
| CVE-2022-30769 | 1 Zoneminder | 1 Zoneminder | 2024-11-21 | 4.6 Medium |
| Session fixation exists in ZoneMinder through 1.36.12 as an attacker can poison a session cookie to the next logged-in user. | ||||
| CVE-2022-30605 | 1 Wwbn | 1 Avideo | 2024-11-21 | 8.8 High |
| A privilege escalation vulnerability exists in the session id functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to increased privileges. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability. | ||||
| CVE-2022-2997 | 1 Snipeitapp | 1 Snipe-it | 2024-11-21 | 8.0 High |
| Session Fixation in GitHub repository snipe/snipe-it prior to 6.0.10. | ||||
| CVE-2022-2820 | 1 Namelessmc | 1 Nameless | 2024-11-21 | 7 High |
| Session Fixation in GitHub repository namelessmc/nameless prior to v2.0.2. | ||||
| CVE-2022-27305 | 1 Gibbonedu | 1 Gibbon | 2024-11-21 | 8.8 High |
| Gibbon v23 does not generate a new session ID cookie after a user authenticates, making the application vulnerable to session fixation. | ||||
| CVE-2022-26591 | 1 Fantec | 2 Mwid25-ds, Mwid25-ds Firmware | 2024-11-21 | 7.5 High |
| FANTEC GmbH MWiD25-DS Firmware v2.000.030 allows unauthenticated attackers to access and download arbitrary files via a crafted GET request. | ||||
| CVE-2022-25896 | 2 Passport Project, Redhat | 2 Passport, Acm | 2024-11-21 | 4.8 Medium |
| This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed. | ||||
| CVE-2022-24895 | 1 Sensiolabs | 1 Symfony | 2024-11-21 | 6.3 Medium |
| Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. This issue has been fixed in the 4.4 branch. | ||||
| CVE-2022-24781 | 1 Geon Project | 1 Geon | 2024-11-21 | 7.1 High |
| Geon is a board game based on solving questions about the Pythagorean Theorem. Malicious users can obtain the uuid from other users, spoof that uuid through the browser console and become co-owners of the target session. This issue is patched in version 1.1.0. No known workaround exists. | ||||