Total
334 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-24745 | 1 Shopware | 1 Shopware | 2024-11-21 | 4.8 Medium |
| Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions guest sessions are shared between customers when HTTP cache is enabled. This can lead to inconsistent experiences for guest users. Setups with Varnish are not affected by this issue. This issue has been resolved in version 6.4.8.2. Users unable to upgrade should disable the HTTP Cache. | ||||
| CVE-2022-24444 | 1 Silverstripe | 1 Silverstripe | 2024-11-21 | 6.5 Medium |
| Silverstripe silverstripe/framework through 4.10 allows Session Fixation. | ||||
| CVE-2022-22681 | 1 Synology | 1 Photo Station | 2024-11-21 | 8.1 High |
| Session fixation vulnerability in access control management in Synology Photo Station before 6.8.16-3506 allows remote attackers to bypass security constraint via unspecified vectors. | ||||
| CVE-2022-22551 | 1 Dell | 1 Emc Appsync | 2024-11-21 | 8.3 High |
| DELL EMC AppSync versions 3.9 to 4.3 use GET request method with sensitive query strings. An Adjacent, unauthenticated attacker could potentially exploit this vulnerability, and hijack the victim session. | ||||
| CVE-2022-1849 | 1 Filegator | 1 Filegator | 2024-11-21 | 5.4 Medium |
| Session Fixation in GitHub repository filegator/filegator prior to 7.8.0. | ||||
| CVE-2021-46279 | 1 Lannerinc | 2 Iac-ast2500a, Iac-ast2500a Firmware | 2024-11-21 | 5.8 Medium |
| Session fixation and insufficient session expiration vulnerabilities allow an attacker to perfom session hijacking attacks against users. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0. | ||||
| CVE-2021-42761 | 1 Fortinet | 1 Fortiweb | 2024-11-21 | 8.5 High |
| A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6.4 all versions, 6.3.0 through 6.3.16, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 through 6.0.7, 5.9.0 through 5.9.1 may allow a remote, unauthenticated attacker to infer the session identifier of other users and possibly usurp their session. | ||||
| CVE-2021-42073 | 1 Barrier Project | 1 Barrier | 2024-11-21 | 8.2 High |
| An issue was discovered in Barrier before 2.4.0. An attacker can enter an active session state with the barriers component (aka the server-side implementation of Barrier) simply by supplying a client label that identifies a valid client configuration. This label is "Unnamed" by default but could instead be guessed from hostnames or other publicly available information. In the active session state, an attacker can capture input device events from the server, and also modify the clipboard content on the server. | ||||
| CVE-2021-41553 | 1 Archibus | 1 Web Central | 2024-11-21 | 9.8 Critical |
| In ARCHIBUS Web Central 21.3.3.815 (a version from 2014), the Web Application in /archibus/login.axvw assign a session token that could be already in use by another user. It was therefore possible to access the application through a user whose credentials were not known, without any attempt by the testers to modify the application logic. It is also possible to set the value of the session token, client-side, simply by making an unauthenticated GET Request to the Home Page and adding an arbitrary value to the JSESSIONID field. The application, following the login, does not assign a new token, continuing to keep the inserted one, as the identifier of the entire session. This is fixed in all recent versions, such as version 26. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Version 21.3 was officially de-supported by the end of 2020 | ||||
| CVE-2021-41268 | 1 Sensiolabs | 1 Symfony | 2024-11-21 | 6.5 Medium |
| Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version 5.3.0, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Starting with version 5.3.12, Symfony makes the password part of the signature by default. In that way, when the password changes, then the cookie is not valid anymore. | ||||
| CVE-2021-41246 | 1 Auth0 | 1 Express Openid Connect | 2024-11-21 | 4.6 Medium |
| Express OpenID Connect is express JS middleware implementing sign on for Express web apps using OpenID Connect. Versions before and including `2.5.1` do not regenerate the session id and session cookie when user logs in. This behavior opens up the application to various session fixation vulnerabilities. Versions `2.5.2` contains a patch for this issue. | ||||
| CVE-2021-39290 | 1 Netmodule | 16 Nb1600, Nb1601, Nb1800 and 13 more | 2024-11-21 | 9.8 Critical |
| Certain NetModule devices allow Limited Session Fixation via PHPSESSID. These models with firmware before 4.3.0.113, 4.4.0.111, and 4.5.0.105 are affected: NB800, NB1600, NB1601, NB1800, NB1810, NB2700, NB2710, NB2800, NB2810, NB3700, NB3701, NB3710, NB3711, NB3720, and NB3800. | ||||
| CVE-2021-39066 | 1 Ibm | 1 Financial Transaction Manager | 2024-11-21 | 8.8 High |
| IBM Financial Transaction Manager 3.2.4 does not invalidate session any existing session identifier gives an attacker the opportunity to steal authenticated sessions. IBM X-Force ID: 215040. | ||||
| CVE-2021-38869 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2024-11-21 | 9.8 Critical |
| IBM QRadar SIEM 7.3, 7.4, and 7.5 in some situations may not automatically log users out after they exceede their idle timeout. IBM X-Force ID: 208341. | ||||
| CVE-2021-36394 | 1 Moodle | 1 Moodle | 2024-11-21 | 9.8 Critical |
| In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin. | ||||
| CVE-2021-35948 | 1 Owncloud | 1 Owncloud | 2024-11-21 | 5.4 Medium |
| Session fixation on password protected public links in the ownCloud Server before 10.8.0 allows an attacker to bypass the password protection when they can force a target client to use a controlled cookie. | ||||
| CVE-2021-35046 | 1 Icehrm | 1 Icehrm | 2024-11-21 | 6.1 Medium |
| A session fixation vulnerability was discovered in Ice Hrm 29.0.0 OS which allows an attacker to hijack a valid user session via a crafted session cookie. | ||||
| CVE-2021-33394 | 1 Cubecart | 1 Cubecart | 2024-11-21 | 5.4 Medium |
| Cubecart 6.4.2 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in, the injected cookie becomes valid, giving the attacker access to the user's account through the active session. | ||||
| CVE-2021-32710 | 1 Shopware | 1 Shopware | 2024-11-21 | 5.9 Medium |
| Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below 6.3.5.2. We recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. | ||||
| CVE-2021-32676 | 1 Nextcloud | 1 Talk | 2024-11-21 | 6.5 Medium |
| Nextcloud Talk is a fully on-premises audio/video and chat communication service. Password protected shared chats in Talk before version 9.0.10, 10.0.8 and 11.2.2 did not rotate the session cookie after a successful authentication event. It is recommended that the Nextcloud Talk App is upgraded to 9.0.10, 10.0.8 or 11.2.2. No workarounds for this vulnerability are known to exist. | ||||