Total
300 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-14163 | 1 Mahara | 1 Mahara | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Mahara before 15.04.14, 16.x before 16.04.8, 16.10.x before 16.10.5, and 17.x before 17.04.3. When one closes the browser without logging out of Mahara, the value in the usr_session table is not removed. If someone were to open a browser, visit the Mahara site, and adjust the 'mahara' cookie to the old value, they can get access to the user's account. | |||||
| CVE-2019-6161 | 1 Lenovo | 2 Cp Storage Block, Cp Storage Block Firmware | 2019-10-01 | 5.0 MEDIUM | 7.5 HIGH |
| An internal product security audit discovered a session handling vulnerability in the web interface of ThinkAgile CP-SB (Storage Block) BMC in firmware versions prior to 1908.M. This vulnerability allows session IDs to be reused, which could provide unauthorized access to the BMC under certain circumstances. This vulnerability does not affect ThinkSystem XCC, System x IMM2, or other BMCs. | |||||
| CVE-2019-12203 | 1 Silverstripe | 1 Silverstripe | 2019-09-27 | 3.7 LOW | 6.3 MEDIUM |
| SilverStripe through 4.3.3 allows session fixation in the "change password" form. | |||||
| CVE-2019-5406 | 1 Hp | 1 3par Storeserv Management Console | 2019-08-16 | 9.0 HIGH | 7.2 HIGH |
| A remote session reuse vulnerability was discovered in HPE 3PAR StoreServ Management and Core Software Media version(s): prior to 3.5.0.1. | |||||
| CVE-2019-5400 | 1 Hp | 2 3par Service Processor, 3par Service Processor Firmware | 2019-08-16 | 6.5 MEDIUM | 6.3 MEDIUM |
| A remote session reuse vulnerability was discovered in HPE 3PAR Service Processor version(s): prior to 5.0.5.1. | |||||
| CVE-2019-7849 | 1 Magento | 1 Magento | 2019-08-08 | 5.0 MEDIUM | 7.5 HIGH |
| A defense-in-depth check was added to mitigate inadequate session validation handling by 3rd party checkout modules. This impacts Magento 1.x prior to 1.9.4.2, Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9 and Magento 2.3 prior to 2.3.2. | |||||
| CVE-2017-4963 | 1 Pivotal Software | 3 Cloud Foundry Cf-release, Cloud Foundry Uaa, Cloud Foundry Uaa-release | 2019-07-30 | 6.8 MEDIUM | 8.1 HIGH |
| An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 & v3.0.0 - v3.11.0, and UAA bosh release v26 & earlier versions. UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers. | |||||
| CVE-2019-10120 | 1 Eq-3 | 4 Ccu2, Ccu2 Firmware, Ccu3 and 1 more | 2019-07-17 | 6.5 MEDIUM | 8.8 HIGH |
| On eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.16, automatic login configuration (aka setAutoLogin) can be achieved by continuing to use a session ID after a logout, aka HMCCU-154. | |||||
| CVE-2019-9744 | 1 Phoenixcontact | 8 Fl Nat Smcs 8tx, Fl Nat Smcs 8tx Firmware, Fl Nat Smn 8tx and 5 more | 2019-06-05 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered on PHOENIX CONTACT FL NAT SMCS 8TX, FL NAT SMN 8TX, FL NAT SMN 8TX-M, and FL NAT SMN 8TX-M-DMG devices. There is unauthorized access to the WEB-UI by attackers arriving from the same source IP address as an authenticated user, because this IP address is used as a session identifier. | |||||
| CVE-2019-10045 | 1 Pydio | 1 Pydio | 2019-06-03 | 6.4 MEDIUM | 6.5 MEDIUM |
| The "action" get_sess_id in the web application of Pydio through 8.2.2 discloses the session cookie value in the response body, enabling scripts to get access to its value. This identifier can be reused by an attacker to impersonate a user and perform actions on behalf of him/her (if the session is still active). | |||||
| CVE-2018-1000409 | 1 Jenkins | 1 Jenkins | 2019-05-08 | 5.8 MEDIUM | 5.4 MEDIUM |
| A session fixation vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that prevented Jenkins from invalidating the existing session and creating a new one when a user signed up for a new user account. | |||||
| CVE-2017-12965 | 1 Apache2triad | 1 Apache2triad | 2019-05-06 | 7.5 HIGH | 9.8 CRITICAL |
| Session fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID parameter. | |||||
| CVE-2018-15208 | 1 Bpcbt | 1 Smartvista | 2019-05-01 | 5.1 MEDIUM | 7.5 HIGH |
| BPC SmartVista 2 has Session Fixation via the JSESSIONID parameter. | |||||
| CVE-2019-10008 | 1 Zohocorp | 1 Servicedesk Plus | 2019-04-25 | 6.5 MEDIUM | 8.8 HIGH |
| Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the guest user enters the administrator username, with an arbitrary incorrect password, in an mc/ login attempt within a different browser tab. | |||||
| CVE-2015-5384 | 1 Axiomsl | 1 Axiom | 2019-04-08 | 6.8 MEDIUM | 8.8 HIGH |
| AxiomSL's Axiom Google Web Toolkit module 9.5.3 and earlier is vulnerable to a Session Fixation attack. | |||||
| CVE-2019-5523 | 1 Vmware | 1 Vcloud Director | 2019-04-04 | 7.5 HIGH | 9.8 CRITICAL |
| VMware vCloud Director for Service Providers 9.5.x prior to 9.5.0.3 update resolves a Remote Session Hijack vulnerability in the Tenant and Provider Portals. Successful exploitation of this issue may allow a malicious actor to access the Tenant or Provider Portals by impersonating a currently logged in session. | |||||
| CVE-2017-18105 | 1 Atlassian | 1 Crowd | 2019-04-01 | 6.8 MEDIUM | 8.1 HIGH |
| The console login resource in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers, who have previously obtained a user's JSESSIONID cookie, to gain access to some of the built-in and potentially third party rest resources via a session fixation vulnerability. | |||||
| CVE-2015-4594 | 1 Eclinicalworks | 1 Population Health | 2019-03-13 | 7.5 HIGH | 9.8 CRITICAL |
| eClinicalWorks Population Health (CCMR) suffers from a session fixation vulnerability. When authenticating a user, the application does not assign a new session ID, making it possible to use an existent session ID. | |||||
| CVE-2018-20238 | 1 Atlassian | 1 Crowd | 2019-02-26 | 5.5 MEDIUM | 8.1 HIGH |
| Various rest resources in Atlassian Crowd before version 3.2.7 and from version 3.3.0 before version 3.3.4 allow remote attackers to authenticate using an expired user session via an insufficient session expiration vulnerability. | |||||
| CVE-2019-7747 | 1 Dbninja | 1 Dbninja | 2019-02-13 | 6.8 MEDIUM | 9.6 CRITICAL |
| DbNinja 3.2.7 allows session fixation via the data.php sessid parameter. | |||||