Total
381 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-12873 | 2 Debian, Simplesamlphp | 2 Debian Linux, Simplesamlphp | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured. | |||||
| CVE-2020-15679 | 1 Mozilla | 1 Vpn | 2025-04-16 | N/A | 7.6 HIGH |
| An OAuth session fixation vulnerability existed in the VPN login flow, where an attacker could craft a custom login URL, convince a VPN user to login via that URL, and obtain authenticated access as that user. This issue is limited to cases where attacker and victim are sharing the same source IP and could allow the ability to view session states and disconnect VPN sessions. This vulnerability affects Mozilla VPN iOS 1.0.7 < (929), Mozilla VPN Windows < 1.2.2, and Mozilla VPN Android 1.1.0 < (1360). | |||||
| CVE-2022-44017 | 1 Simmeth | 1 Lieferantenmanager | 2025-04-15 | N/A | 7.5 HIGH |
| An issue was discovered in Simmeth Lieferantenmanager before 5.6. Due to errors in session management, an attacker can log back into a victim's account after the victim logged out - /LMS/LM/#main can be used for this. This is due to the credentials not being cleaned from the local storage after logout. | |||||
| CVE-2014-4789 | 1 Ibm | 1 Initiate Master Data Service | 2025-04-12 | 6.8 MEDIUM | N/A |
| Session fixation vulnerability in IBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 allows remote attackers to hijack web sessions via unspecified vectors. | |||||
| CVE-2022-36437 | 1 Hazelcast | 2 Hazelcast, Hazelcast-jet | 2025-04-11 | N/A | 9.1 CRITICAL |
| The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3. | |||||
| CVE-2024-23193 | 1 Open-xchange | 1 Ox App Suite | 2025-04-10 | N/A | 5.3 MEDIUM |
| E-Mails exported as PDF were stored in a cache that did not consider specific session information for the related user account. Users of the same service node could access other users E-Mails in case they were exported as PDF for a brief moment until caches were cleared. Successful exploitation requires good timing and modification of multiple request parameters. Please deploy the provided updates and patch releases. The cache for PDF exports now takes user session information into consideration when performing authorization decisions. No publicly available exploits are known. | |||||
| CVE-2024-11317 | 1 Abb | 38 Aspect-ent-12, Aspect-ent-12 Firmware, Aspect-ent-2 and 35 more | 2025-04-10 | N/A | 10.0 CRITICAL |
| Session Fixation vulnerabilities allow an attacker to fix a users session identifier before login providing an opportunity for session takeover on a product. Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02 | |||||
| CVE-2022-43529 | 1 Arubanetworks | 1 Aruba Edgeconnect Enterprise Orchestrator | 2025-04-10 | N/A | 4.6 MEDIUM |
| A vulnerability in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an remote attacker to persist a session after a password reset or similar session clearing event. Successful exploitation of this vulnerability could allow an authenticated attacker to remain on the system with the permissions of their current session after the session should be invalidated in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators - Orchestrator 9.2.1.40179 and below, - Orchestrator 9.1.4.40436 and below, - Orchestrator 9.0.7.40110 and below, - Orchestrator 8.10.23.40015 and below, - Any older branches of Orchestrator not specifically mentioned. | |||||
| CVE-2021-29368 | 1 Cuppacms | 1 Cuppacms | 2025-04-03 | N/A | 8.8 HIGH |
| Session fixation vulnerability in CuppaCMS thru commit 4c9b742b23b924cf4c1f943f48b278e06a17e297 on November 12, 2019 allows attackers to gain access to arbitrary user sessions. | |||||
| CVE-2023-24427 | 1 Jenkins | 1 Bitbucket Oauth | 2025-04-02 | N/A | 9.8 CRITICAL |
| Jenkins Bitbucket OAuth Plugin 0.12 and earlier does not invalidate the previous session on login. | |||||
| CVE-2023-24424 | 1 Jenkins | 1 Openid Connect Authentication | 2025-04-02 | N/A | 8.8 HIGH |
| Jenkins OpenId Connect Authentication Plugin 2.4 and earlier does not invalidate the previous session on login. | |||||
| CVE-2023-24456 | 1 Jenkins | 1 Keycloak Authentication | 2025-04-02 | N/A | 9.8 CRITICAL |
| Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login. | |||||
| CVE-2025-27661 | 1 Printerlogic | 2 Vasion Print, Virtual Appliance | 2025-04-01 | N/A | 9.1 CRITICAL |
| Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Session Fixation OVE-20230524-0004. | |||||
| CVE-2023-50270 | 1 Apache | 1 Dolphinscheduler | 2025-03-18 | N/A | 6.5 MEDIUM |
| Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change. Users are recommended to upgrade to version 3.2.1, which fixes this issue. | |||||
| CVE-2024-49344 | 3 Ibm, Linux, Microsoft | 3 Openpages With Watson, Linux Kernel, Windows | 2025-03-11 | N/A | 4.3 MEDIUM |
| IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages with Watson Assistant chat feature enabled the application establishes a session when a user logs in and uses chat, but the chat session is still left active after logout. | |||||
| CVE-2021-36394 | 1 Moodle | 1 Moodle | 2025-03-06 | N/A | 9.8 CRITICAL |
| In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin. | |||||
| CVE-2022-31888 | 1 Enhancesoft | 1 Osticket | 2025-02-13 | N/A | 8.8 HIGH |
| Session Fixation vulnerability in in function login in class.auth.php in osTicket through 1.16.2. | |||||
| CVE-2022-24895 | 1 Sensiolabs | 1 Symfony | 2025-02-13 | N/A | 6.3 MEDIUM |
| Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. This issue has been fixed in the 4.4 branch. | |||||
| CVE-2023-26260 | 1 Oxidforge | 1 Oxid Eshop | 2025-02-11 | N/A | 5.4 MEDIUM |
| OXID eShop 6.2.x before 6.4.4 and 6.5.x before 6.5.2 allows session hijacking, leading to partial access of a customer's account by an attacker, due to an improper check of the user agent. | |||||
| CVE-2023-2105 | 1 Easyappointments | 1 Easyappointments | 2025-02-06 | N/A | 8.8 HIGH |
| Session Fixation in GitHub repository alextselegidis/easyappointments prior to 1.5.0. | |||||