Total
353 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-23193 | 1 Open-xchange | 1 Ox App Suite | 2025-04-10 | 5.3 Medium |
| E-Mails exported as PDF were stored in a cache that did not consider specific session information for the related user account. Users of the same service node could access other users E-Mails in case they were exported as PDF for a brief moment until caches were cleared. Successful exploitation requires good timing and modification of multiple request parameters. Please deploy the provided updates and patch releases. The cache for PDF exports now takes user session information into consideration when performing authorization decisions. No publicly available exploits are known. | ||||
| CVE-2024-11317 | 1 Abb | 41 Aspect-ent-12, Aspect-ent-12 Firmware, Aspect-ent-2 and 38 more | 2025-04-10 | 10 Critical |
| Session Fixation vulnerabilities allow an attacker to fix a users session identifier before login providing an opportunity for session takeover on a product. Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02 | ||||
| CVE-2022-43529 | 1 Arubanetworks | 1 Aruba Edgeconnect Enterprise Orchestrator | 2025-04-10 | 4.6 Medium |
| A vulnerability in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an remote attacker to persist a session after a password reset or similar session clearing event. Successful exploitation of this vulnerability could allow an authenticated attacker to remain on the system with the permissions of their current session after the session should be invalidated in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators - Orchestrator 9.2.1.40179 and below, - Orchestrator 9.1.4.40436 and below, - Orchestrator 9.0.7.40110 and below, - Orchestrator 8.10.23.40015 and below, - Any older branches of Orchestrator not specifically mentioned. | ||||
| CVE-2009-1580 | 2 Redhat, Squirrelmail | 2 Enterprise Linux, Squirrelmail | 2025-04-09 | N/A |
| Session fixation vulnerability in SquirrelMail before 1.4.18 allows remote attackers to hijack web sessions via a crafted cookie. | ||||
| CVE-2007-4188 | 1 Joomla | 1 Joomla\! | 2025-04-09 | N/A |
| Session fixation vulnerability in Joomla! before 1.0.13 (aka Sunglow) allows remote attackers to hijack administrative web sessions via unspecified vectors. | ||||
| CVE-2008-3222 | 2 Drupal, Fedoraproject | 2 Drupal, Fedora | 2025-04-09 | N/A |
| Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessions via unknown vectors. | ||||
| CVE-2021-29368 | 1 Cuppacms | 1 Cuppacms | 2025-04-03 | 8.8 High |
| Session fixation vulnerability in CuppaCMS thru commit 4c9b742b23b924cf4c1f943f48b278e06a17e297 on November 12, 2019 allows attackers to gain access to arbitrary user sessions. | ||||
| CVE-2001-1534 | 1 Apache | 1 Http Server | 2025-04-03 | N/A |
| mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication. | ||||
| CVE-1999-0428 | 1 Openssl | 1 Openssl | 2025-04-03 | 6.5 Medium |
| OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls. | ||||
| CVE-2023-24427 | 1 Jenkins | 1 Bitbucket Oauth | 2025-04-02 | 9.8 Critical |
| Jenkins Bitbucket OAuth Plugin 0.12 and earlier does not invalidate the previous session on login. | ||||
| CVE-2023-24424 | 1 Jenkins | 1 Openid Connect Authentication | 2025-04-02 | 8.8 High |
| Jenkins OpenId Connect Authentication Plugin 2.4 and earlier does not invalidate the previous session on login. | ||||
| CVE-2023-24456 | 1 Jenkins | 1 Keycloak Authentication | 2025-04-02 | 9.8 Critical |
| Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login. | ||||
| CVE-2025-27661 | 1 Printerlogic | 2 Vasion Print, Virtual Appliance | 2025-04-01 | 9.1 Critical |
| Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Session Fixation OVE-20230524-0004. | ||||
| CVE-2023-6800 | 2025-04-01 | 0.0 Low | ||
| No description is available for this CVE. | ||||
| CVE-2025-29928 | 2025-03-28 | 8 High | ||
| authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik. authentik 2025.2.3 and 2024.12.4 fix this issue. Switching to the cache-based session storage until the authentik instance can be upgraded is recommended. This will however also delete all existing sessions and users will have to re-authenticate. | ||||
| CVE-2023-30307 | 2025-03-27 | 5.3 Medium | ||
| An issue discovered in TP-LINK TL-R473GP-AC, TP-LINK XDR6020, TP-LINK TL-R479GP-AC, TP-LINK TL-R4239G, TP-LINK TL-WAR1200L, and TP-LINK TL-R476G routers allows attackers to hijack TCP sessions which could lead to a denial of service. | ||||
| CVE-2023-50270 | 1 Apache | 1 Dolphinscheduler | 2025-03-18 | 6.5 Medium |
| Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change. Users are recommended to upgrade to version 3.2.1, which fixes this issue. | ||||
| CVE-2024-56529 | 2025-03-14 | 7.1 High | ||
| Mailcow through 2024-11b has a session fixation vulnerability in the web panel. It allows remote attackers to set a session identifier when HSTS is disabled on a victim's browser. After a user logs in, they are authenticated and the session identifier is valid. Then, a remote attacker can access the victim's web panel with the same session identifier. | ||||
| CVE-2025-26658 | 2025-03-12 | 6.8 Medium | ||
| The Service Layer in SAP Business One, allows attackers to potentially gain unauthorized access and impersonate other users in the application to perform unauthorized actions. Due to the improper session management, the attackers can elevate themselves to higher privilege and can read, modify and/or write new data. To gain authenticated sessions of other users, the attacker must invest considerable time and effort. This vulnerability has a high impact on the confidentiality and integrity of the application with no effect on the availability of the application. | ||||
| CVE-2024-49344 | 3 Ibm, Linux, Microsoft | 3 Openpages With Watson, Linux Kernel, Windows | 2025-03-11 | 4.3 Medium |
| IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages with Watson Assistant chat feature enabled the application establishes a session when a user logs in and uses chat, but the chat session is still left active after logout. | ||||