Total
365 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-34334 | 1 Ibm | 1 Sterling Partner Engagement Manager | 2024-11-21 | N/A | 6.5 MEDIUM |
| IBM Sterling Partner Engagement Manager 2.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 229704. | |||||
| CVE-2022-33927 | 1 Dell | 1 Wyse Management Suite | 2024-11-21 | N/A | 5.4 MEDIUM |
| Dell Wyse Management Suite 3.6.1 and below contains a Session Fixation vulnerability. A unauthenticated attacker could exploit this by taking advantage of a user with multiple active sessions in order to hijack a user's session. | |||||
| CVE-2022-31798 | 1 Nortekcontrol | 2 Emerge E3, Emerge E3 Firmware | 2024-11-21 | N/A | 6.1 MEDIUM |
| Nortek Linear eMerge E3-Series 0.32-07p devices are vulnerable to /card_scan.php?CardFormatNo= XSS with session fixation (via PHPSESSID) when they are chained together. This would allow an attacker to take over an admin account or a user account. | |||||
| CVE-2022-30605 | 1 Wwbn | 1 Avideo | 2024-11-21 | N/A | 8.8 HIGH |
| A privilege escalation vulnerability exists in the session id functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to increased privileges. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability. | |||||
| CVE-2022-2997 | 1 Snipeitapp | 1 Snipe-it | 2024-11-21 | N/A | 8.0 HIGH |
| Session Fixation in GitHub repository snipe/snipe-it prior to 6.0.10. | |||||
| CVE-2022-2820 | 1 Namelessmc | 1 Nameless | 2024-11-21 | N/A | 7.0 HIGH |
| Session Fixation in GitHub repository namelessmc/nameless prior to v2.0.2. | |||||
| CVE-2022-27305 | 1 Gibbonedu | 1 Gibbon | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Gibbon v23 does not generate a new session ID cookie after a user authenticates, making the application vulnerable to session fixation. | |||||
| CVE-2022-26591 | 1 Fantec | 2 Mwid25-ds, Mwid25-ds Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| FANTEC GmbH MWiD25-DS Firmware v2.000.030 allows unauthenticated attackers to access and download arbitrary files via a crafted GET request. | |||||
| CVE-2022-25896 | 1 Passport Project | 1 Passport | 2024-11-21 | 5.8 MEDIUM | 4.8 MEDIUM |
| This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed. | |||||
| CVE-2022-24781 | 1 Geon Project | 1 Geon | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
| Geon is a board game based on solving questions about the Pythagorean Theorem. Malicious users can obtain the uuid from other users, spoof that uuid through the browser console and become co-owners of the target session. This issue is patched in version 1.1.0. No known workaround exists. | |||||
| CVE-2022-24745 | 1 Shopware | 1 Shopware | 2024-11-21 | 5.8 MEDIUM | 4.8 MEDIUM |
| Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions guest sessions are shared between customers when HTTP cache is enabled. This can lead to inconsistent experiences for guest users. Setups with Varnish are not affected by this issue. This issue has been resolved in version 6.4.8.2. Users unable to upgrade should disable the HTTP Cache. | |||||
| CVE-2022-24444 | 1 Silverstripe | 1 Silverstripe | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
| Silverstripe silverstripe/framework through 4.10 allows Session Fixation. | |||||
| CVE-2022-22681 | 1 Synology | 1 Photo Station | 2024-11-21 | 5.0 MEDIUM | 8.1 HIGH |
| Session fixation vulnerability in access control management in Synology Photo Station before 6.8.16-3506 allows remote attackers to bypass security constraint via unspecified vectors. | |||||
| CVE-2022-22551 | 1 Dell | 1 Emc Appsync | 2024-11-21 | 5.8 MEDIUM | 8.3 HIGH |
| DELL EMC AppSync versions 3.9 to 4.3 use GET request method with sensitive query strings. An Adjacent, unauthenticated attacker could potentially exploit this vulnerability, and hijack the victim session. | |||||
| CVE-2022-1849 | 1 Filegator | 1 Filegator | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| Session Fixation in GitHub repository filegator/filegator prior to 7.8.0. | |||||
| CVE-2021-46279 | 1 Lannerinc | 2 Iac-ast2500a, Iac-ast2500a Firmware | 2024-11-21 | N/A | 5.8 MEDIUM |
| Session fixation and insufficient session expiration vulnerabilities allow an attacker to perfom session hijacking attacks against users. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0. | |||||
| CVE-2021-42761 | 1 Fortinet | 1 Fortiweb | 2024-11-21 | N/A | 9.0 CRITICAL |
| A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6.4 all versions, 6.3.0 through 6.3.16, 6.2.0 through 6.2.6, 6.1.0 through 6.1.2, 6.0.0 through 6.0.7, 5.9.0 through 5.9.1 may allow a remote, unauthenticated attacker to infer the session identifier of other users and possibly usurp their session. | |||||
| CVE-2021-42073 | 1 Barrier Project | 1 Barrier | 2024-11-21 | 5.8 MEDIUM | 8.2 HIGH |
| An issue was discovered in Barrier before 2.4.0. An attacker can enter an active session state with the barriers component (aka the server-side implementation of Barrier) simply by supplying a client label that identifies a valid client configuration. This label is "Unnamed" by default but could instead be guessed from hostnames or other publicly available information. In the active session state, an attacker can capture input device events from the server, and also modify the clipboard content on the server. | |||||
| CVE-2021-41553 | 1 Archibus | 1 Web Central | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In ARCHIBUS Web Central 21.3.3.815 (a version from 2014), the Web Application in /archibus/login.axvw assign a session token that could be already in use by another user. It was therefore possible to access the application through a user whose credentials were not known, without any attempt by the testers to modify the application logic. It is also possible to set the value of the session token, client-side, simply by making an unauthenticated GET Request to the Home Page and adding an arbitrary value to the JSESSIONID field. The application, following the login, does not assign a new token, continuing to keep the inserted one, as the identifier of the entire session. This is fixed in all recent versions, such as version 26. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Version 21.3 was officially de-supported by the end of 2020 | |||||
| CVE-2021-41268 | 1 Sensiolabs | 1 Symfony | 2024-11-21 | 6.5 MEDIUM | 6.5 MEDIUM |
| Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version 5.3.0, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Starting with version 5.3.12, Symfony makes the password part of the signature by default. In that way, when the password changes, then the cookie is not valid anymore. | |||||