Total
329 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-24456 | 1 Jenkins | 1 Keycloak Authentication | 2025-04-02 | N/A | 9.8 CRITICAL |
| Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login. | |||||
| CVE-2025-27661 | 1 Printerlogic | 2 Vasion Print, Virtual Appliance | 2025-04-01 | N/A | 9.1 CRITICAL |
| Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Session Fixation OVE-20230524-0004. | |||||
| CVE-2025-29928 | 2025-03-28 | N/A | 8.0 HIGH | ||
| authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik. authentik 2025.2.3 and 2024.12.4 fix this issue. Switching to the cache-based session storage until the authentik instance can be upgraded is recommended. This will however also delete all existing sessions and users will have to re-authenticate. | |||||
| CVE-2023-30307 | 2025-03-27 | N/A | 5.3 MEDIUM | ||
| An issue discovered in TP-LINK TL-R473GP-AC, TP-LINK XDR6020, TP-LINK TL-R479GP-AC, TP-LINK TL-R4239G, TP-LINK TL-WAR1200L, and TP-LINK TL-R476G routers allows attackers to hijack TCP sessions which could lead to a denial of service. | |||||
| CVE-2023-50270 | 1 Apache | 1 Dolphinscheduler | 2025-03-18 | N/A | 6.5 MEDIUM |
| Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change. Users are recommended to upgrade to version 3.2.1, which fixes this issue. | |||||
| CVE-2024-56529 | 2025-03-14 | N/A | 7.1 HIGH | ||
| Mailcow through 2024-11b has a session fixation vulnerability in the web panel. It allows remote attackers to set a session identifier when HSTS is disabled on a victim's browser. After a user logs in, they are authenticated and the session identifier is valid. Then, a remote attacker can access the victim's web panel with the same session identifier. | |||||
| CVE-2024-49344 | 3 Ibm, Linux, Microsoft | 3 Openpages With Watson, Linux Kernel, Windows | 2025-03-11 | N/A | 4.3 MEDIUM |
| IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages with Watson Assistant chat feature enabled the application establishes a session when a user logs in and uses chat, but the chat session is still left active after logout. | |||||
| CVE-2025-26658 | 2025-03-11 | N/A | 6.8 MEDIUM | ||
| The Service Layer in SAP Business One, allows attackers to potentially gain unauthorized access and impersonate other users in the application to perform unauthorized actions. Due to the improper session management, the attackers can elevate themselves to higher privilege and can read, modify and/or write new data. To gain authenticated sessions of other users, the attacker must invest considerable time and effort. This vulnerability has a high impact on the confidentiality and integrity of the application with no effect on the availability of the application. | |||||
| CVE-2021-36394 | 1 Moodle | 1 Moodle | 2025-03-06 | N/A | 9.8 CRITICAL |
| In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin. | |||||
| CVE-2025-1412 | 2025-02-24 | N/A | 3.1 LOW | ||
| Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot. | |||||
| CVE-2022-31888 | 1 Enhancesoft | 1 Osticket | 2025-02-13 | N/A | 8.8 HIGH |
| Session Fixation vulnerability in in function login in class.auth.php in osTicket through 1.16.2. | |||||
| CVE-2022-24895 | 1 Sensiolabs | 1 Symfony | 2025-02-13 | N/A | 6.3 MEDIUM |
| Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. This issue has been fixed in the 4.4 branch. | |||||
| CVE-2023-26260 | 1 Oxidforge | 1 Oxid Eshop | 2025-02-11 | N/A | 5.4 MEDIUM |
| OXID eShop 6.2.x before 6.4.4 and 6.5.x before 6.5.2 allows session hijacking, leading to partial access of a customer's account by an attacker, due to an improper check of the user agent. | |||||
| CVE-2022-40916 | 2025-02-07 | N/A | 9.8 CRITICAL | ||
| Tiny File Manager v2.4.7 and below is vulnerable to session fixation. | |||||
| CVE-2023-2105 | 1 Easyappointments | 1 Easyappointments | 2025-02-06 | N/A | 8.8 HIGH |
| Session Fixation in GitHub repository alextselegidis/easyappointments prior to 1.5.0. | |||||
| CVE-2024-42207 | 2025-02-05 | N/A | 5.5 MEDIUM | ||
| HCL iAutomate is affected by a session fixation vulnerability. An attacker could hijack a victim's session ID from their authenticated session. | |||||
| CVE-2025-24503 | 2025-02-05 | N/A | N/A | ||
| A malicious actor can fix the session of a PAM user by tricking the user to click on a specially crafted link to the PAM server. | |||||
| CVE-2025-24502 | 2025-02-05 | N/A | N/A | ||
| An improper session validation allows an unauthenticated attacker to cause certain request notifications to be executed in the context of an incorrect user by spoofing the client IP address. | |||||
| CVE-2024-0157 | 1 Dell | 2 Storage Monitoring And Reporting, Storage Resource Manager | 2025-02-04 | N/A | 5.9 MEDIUM |
| Dell Storage Resource Manager, 4.9.0.0 and below, contain(s) a Session Fixation Vulnerability in SRM Windows Host Agent. An adjacent network unauthenticated attacker could potentially exploit this vulnerability, leading to the hijack of a targeted user's application session. | |||||
| CVE-2025-22216 | 2025-01-31 | N/A | 5.4 MEDIUM | ||
| A UAA configured with multiple identity zones, does not properly validate session information across those zones. A User authenticated against a corporate IDP can re-use their jsessionid to access other zones. | |||||