Total
353 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-4243 | 1 Ibm | 1 Security Identity Governance And Intelligence | 2024-11-21 | 3.7 Low |
| IBM Security Identity Governance and Intelligence 5.2.6 Virtual Appliance could allow a remote attacker to obtain sensitive information using man in the middle techniques due to not properly invalidating session tokens. IBM X-Force ID: 175420. | ||||
| CVE-2020-4229 | 1 Ibm | 1 Mobile Foundation | 2024-11-21 | 7.3 High |
| IBM Worklight/MobileFoundation 8.0.0.0 does not properly invalidate session cookies when a user logs out of a session, which could allow another user to gain unauthorized access to a user's session. IBM X-Force ID: 175211. | ||||
| CVE-2020-35591 | 1 Pi-hole | 1 Pi-hole | 2024-11-21 | 5.4 Medium |
| Pi-hole 5.0, 5.1, and 5.1.1 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in, the injected cookie becomes valid, giving the attacker access to the user's account through the active session. | ||||
| CVE-2020-35229 | 1 Netgear | 4 Gs116e, Gs116e Firmware, Jgs516pe and 1 more | 2024-11-21 | 8.8 High |
| The authentication token required to execute NSDP write requests on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices is not properly invalidated and can be reused until a new token is generated, which allows attackers (with access to network traffic) to effectively gain administrative privileges. | ||||
| CVE-2020-25198 | 1 Moxa | 2 Nport Iaw5000a-i\/o, Nport Iaw5000a-i\/o Firmware | 2024-11-21 | 8.8 High |
| The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower has incorrectly implemented protections from session fixation, which may allow an attacker to gain access to a session and hijack it by stealing the user’s cookies. | ||||
| CVE-2020-1993 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 3.7 Low |
| The GlobalProtect Portal feature in PAN-OS does not set a new session identifier after a successful user login, which allows session fixation attacks, if an attacker is able to control a user's session ID. This issue affects: All PAN-OS 7.1 and 8.0 versions; PAN-OS 8.1 versions earlier than 8.1.14; PAN-OS 9.0 versions earlier than 9.0.8. | ||||
| CVE-2020-1762 | 2 Kiali, Redhat | 3 Kiali, Openshift Service Mesh, Service Mesh | 2024-11-21 | 7 High |
| An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration. | ||||
| CVE-2020-15909 | 1 Solarwinds | 1 N-central | 2024-11-21 | 8.8 High |
| SolarWinds N-central through 2020.1 allows session hijacking and requires user interaction or physical access. The N-Central JSESSIONID cookie attribute is not checked against multiple sources such as sourceip, MFA claim, etc. as long as the victim stays logged in within N-Central. To take advantage of this, cookie could be stolen and the JSESSIONID can be captured. On its own this is not a surprising result; low security tools allow the cookie to roam from machine to machine. The JSESSION cookie can then be used on the attackers’ workstation by browsing to the victim’s NCentral server URL and replacing the JSESSIONID attribute value by the captured value. Expected behavior would be to check this against a second source and enforce at least a reauthentication or multi factor request as N-Central is a highly privileged service. | ||||
| CVE-2020-15018 | 1 Playsms | 1 Playsms | 2024-11-21 | 6.5 Medium |
| playSMS through 1.4.3 is vulnerable to session fixation. | ||||
| CVE-2020-13229 | 1 Sysax | 1 Multi Server | 2024-11-21 | 8.8 High |
| An issue was discovered in Sysax Multi Server 6.90. A session can be hijacked if one observes the sid value in any /scgi URI, because it is an authentication token. | ||||
| CVE-2020-12467 | 1 Intelliants | 1 Subrion | 2024-11-21 | 6.5 Medium |
| Subrion CMS 4.2.1 allows session fixation via an alphanumeric value in a session cookie. | ||||
| CVE-2020-12258 | 1 Rconfig | 1 Rconfig | 2024-11-21 | 9.1 Critical |
| rConfig 3.9.4 is vulnerable to session fixation because session expiry and randomization are mishandled. The application can reuse a session via PHPSESSID. Also, an attacker can exploit this vulnerability in conjunction with CVE-2020-12256 or CVE-2020-12259. | ||||
| CVE-2020-11729 | 2 Davical, Debian | 2 Andrew\'s Web Libraries, Debian Linux | 2024-11-21 | 9.8 Critical |
| An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Long-term session cookies, uses to provide long-term session continuity, are not generated securely, enabling a brute-force attack that may be successful. | ||||
| CVE-2020-11728 | 2 Davical, Debian | 2 Andrew\'s Web Libraries, Debian Linux | 2024-11-21 | 7.5 High |
| An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Session management does not use a sufficiently hard-to-guess session key. Anyone who can guess the microsecond time (and the incrementing session_id) can impersonate a session. | ||||
| CVE-2020-10714 | 2 Netapp, Redhat | 13 Oncommand Insight, Codeready Studio, Descision Manager and 10 more | 2024-11-21 | 7.5 High |
| A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | ||||
| CVE-2019-9744 | 1 Phoenixcontact | 8 Fl Nat Smcs 8tx, Fl Nat Smcs 8tx Firmware, Fl Nat Smn 8tx and 5 more | 2024-11-21 | N/A |
| An issue was discovered on PHOENIX CONTACT FL NAT SMCS 8TX, FL NAT SMN 8TX, FL NAT SMN 8TX-M, and FL NAT SMN 8TX-M-DMG devices. There is unauthorized access to the WEB-UI by attackers arriving from the same source IP address as an authenticated user, because this IP address is used as a session identifier. | ||||
| CVE-2019-8116 | 1 Magento | 1 Magento | 2024-11-21 | 7.5 High |
| Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can leverage a guest session id value following a successful login to gain access to customer account index page. | ||||
| CVE-2019-7849 | 1 Magento | 1 Magento | 2024-11-21 | N/A |
| A defense-in-depth check was added to mitigate inadequate session validation handling by 3rd party checkout modules. This impacts Magento 1.x prior to 1.9.4.2, Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9 and Magento 2.3 prior to 2.3.2. | ||||
| CVE-2019-7747 | 1 Dbninja | 1 Dbninja | 2024-11-21 | N/A |
| DbNinja 3.2.7 allows session fixation via the data.php sessid parameter. | ||||
| CVE-2019-7350 | 1 Zoneminder | 1 Zoneminder | 2024-11-21 | N/A |
| Session fixation exists in ZoneMinder through 1.32.3, as an attacker can fixate his own session cookies to the next logged-in user, thereby hijacking the victim's account. This occurs because a set of multiple cookies (between 3 and 5) is being generated when a user successfully logs in, and these sets overlap for successive logins. | ||||