Total
300 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-5543 | 1 Mitsubishielectric | 2 Iu1-1m20-d, Iu1-1m20-d Firmware | 2020-03-18 | 7.5 HIGH | 9.8 CRITICAL |
| TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier does not properly manage sessions, which allows remote attackers to stop the network functions or execute malware via a specially crafted packet. | |||||
| CVE-2020-8990 | 1 Western Digital | 2 Ibi, My Cloud Home | 2020-02-24 | 6.4 MEDIUM | 9.1 CRITICAL |
| Western Digital My Cloud Home before 3.6.0 and ibi before 3.6.0 allow Session Fixation. | |||||
| CVE-2014-10399 | 1 Keplerproject | 1 Cgilua | 2020-02-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The session.lua library in CGILua 5.1.x uses the same ID for each session, which allows remote attackers to hijack arbitrary sessions. NOTE: this vulnerability was SPLIT from CVE-2014-2875. | |||||
| CVE-2014-10400 | 1 Keplerproject | 1 Cgilua | 2020-02-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The session.lua library in CGILua 5.0.x uses sequential session IDs, which makes it easier for remote attackers to predict the session ID and hijack arbitrary sessions. NOTE: this vulnerability was SPLIT from CVE-2014-2875. | |||||
| CVE-2013-4572 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2020-02-10 | 5.0 MEDIUM | 7.5 HIGH |
| The CentralNotice extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 sets the Cache-Control header to cache session cookies when a user is autocreated, which allows remote attackers to authenticate as the created user. | |||||
| CVE-2013-0507 | 1 Ibm | 1 Infosphere Information Server | 2020-02-07 | 5.8 MEDIUM | 8.1 HIGH |
| IBM InfoSphere Information Server 8.1, 8.5, 8.7, 9.1 has a Session Fixation Vulnerability | |||||
| CVE-2020-5205 | 1 Powauth | 1 Pow | 2020-01-17 | 5.5 MEDIUM | 5.4 MEDIUM |
| In Pow (Hex package) before 1.0.16, the use of Plug.Session in Pow.Plug.Session is susceptible to session fixation attacks if a persistent session store is used for Plug.Session, such as Redis or a database. Cookie store, which is used in most Phoenix apps, doesn't have this vulnerability. | |||||
| CVE-2019-17062 | 1 Oxid-esales | 1 Eshop | 2019-11-08 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in OXID eShop 6.x before 6.0.6 and 6.1.x before 6.1.5, OXID eShop Enterprise Edition Version 5.2.x-5.3.x, OXID eShop Professional Edition Version 4.9.x-4.10.x and OXID eShop Community Edition Version: 4.9.x-4.10.x. By using a specially crafted URL, users with administrative rights could unintentionally grant unauthorized users access to the admin panel via session fixation. | |||||
| CVE-2010-3671 | 1 Typo3 | 1 Typo3 | 2019-11-08 | 9.4 HIGH | 6.5 MEDIUM |
| TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 is open to a session fixation attack which allows remote attackers to hijack a victim's session. | |||||
| CVE-2019-18418 | 1 Clonos | 1 Clonos | 2019-10-29 | 7.5 HIGH | 9.8 CRITICAL |
| clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests because there is no session management. | |||||
| CVE-2019-15849 | 1 Eq-3 | 2 Homematic Ccu3, Homematic Ccu3 Firmware | 2019-10-22 | 4.9 MEDIUM | 7.3 HIGH |
| eQ-3 HomeMatic CCU3 firmware 3.41.11 allows session fixation. An attacker can create session IDs and send them to the victim. After the victim logs in to the session, the attacker can use that session. The attacker could create SSH logins after a valid session and easily compromise the system. | |||||
| CVE-2019-3784 | 1 Cloudfoundry | 1 Stratos | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| Cloud Foundry Stratos, versions prior to 2.3.0, contains an insecure session that can be spoofed. When deployed on cloud foundry with multiple instances using the default embedded SQLite database, a remote authenticated malicious user can switch sessions to another user with the same session id. | |||||
| CVE-2019-1807 | 1 Cisco | 1 Umbrella | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability in the session management functionality of the web UI for the Cisco Umbrella Dashboard could allow an authenticated, remote attacker to access the Dashboard via an active, user session. The vulnerability exists due to the affected application not invalidating an existing session when a user authenticates to the application and changes the users credentials via another authenticated session. An attacker could exploit this vulnerability by using a separate, authenticated, active session to connect to the application through the web UI. A successful exploit could allow the attacker to maintain access to the dashboard via an authenticated user's browser session. Cisco has addressed this vulnerability in the Cisco Umbrella Dashboard. No user action is required. | |||||
| CVE-2019-13517 | 1 Bd | 2 Pyxis Enterprise Server, Pyxis Es | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| In Pyxis ES Versions 1.3.4 through to 1.6.1 and Pyxis Enterprise Server, with Windows Server Versions 4.4 through 4.12, a vulnerability has been identified where existing access privileges are not restricted in coordination with the expiration of access based on active directory user account changes when the device is joined to an AD domain. | |||||
| CVE-2018-8852 | 1 Philips | 1 E-alert Firmware | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| Philips e-Alert Unit (non-medical device), Version R2.1 and prior. When authenticating a user or otherwise establishing a new user session, the software gives an attacker the opportunity to steal authenticated sessions without invalidating any existing session identifier. | |||||
| CVE-2018-5465 | 1 Belden | 134 Hirschmann M1-8mm-sc, Hirschmann M1-8sfp, Hirschmann M1-8sm-sc and 131 more | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| A Session Fixation issue was discovered in Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic Platform Switches. A session fixation vulnerability in the web interface has been identified, which may allow an attacker to hijack web sessions. | |||||
| CVE-2018-2408 | 1 Sap | 1 Businessobjects | 2019-10-09 | 7.5 HIGH | 7.3 HIGH |
| Improper Session Management in SAP Business Objects, 4.0, from 4.10, from 4.20, 4.30, CMC/BI Launchpad/Fiorified BI Launchpad. In case of password change for a user, all other active sessions created using older password continues to be active. | |||||
| CVE-2018-2409 | 1 Sap | 1 Cloud Platform | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| Improper session management when using SAP Cloud Platform 2.0 (Connectivity Service and Cloud Connector). Under certain conditions, data of some other user may be shown or modified when using an application built on top of SAP Cloud Platform. | |||||
| CVE-2018-1948 | 1 Ibm | 1 Security Identity Governance And Intelligence | 2019-10-09 | 4.3 MEDIUM | 4.3 MEDIUM |
| IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 Virtual Appliance does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 153428. | |||||
| CVE-2018-1962 | 1 Ibm | 1 Security Identity Manager | 2019-10-09 | 2.1 LOW | 3.3 LOW |
| IBM Security Identity Manager 7.0.1 Virtual Appliance does not invalidate session tokens when the logout button is pressed. The lack of proper session termination may allow attackers with local access to login into a closed browser session. IBM X-Force ID: 153658. | |||||