Total
287 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2017-15304 | 1 Airtame | 2 Hdmi Dongle, Hdmi Dongle Firmware | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
/bin/login.php in the Web Panel on the Airtame HDMI dongle with firmware before 3.0 allows an attacker to set his own session id via a "Cookie: PHPSESSID=" header. This can be used to achieve persistent access to the admin panel even after an admin password change. | |||||
CVE-2017-1000150 | 1 Mahara | 1 Mahara | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
Mahara 15.04 before 15.04.7 and 15.10 before 15.10.3 are vulnerable to prevent session IDs from being regenerated on login or logout. This makes users of the site more vulnerable to session fixation attacks. | |||||
CVE-2017-1270 | 1 Ibm | 1 Security Guardium | 2024-02-28 | 2.1 LOW | 3.3 LOW |
IBM Security Guardium 10.0 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability. This could force a user to utilize a cookie that may be known to an attacker. IBM X-Force ID: 124745. | |||||
CVE-2017-12225 | 1 Cisco | 1 Prime Lan Management Solution | 2024-02-28 | 4.3 MEDIUM | 6.5 MEDIUM |
A vulnerability in the web functionality of the Cisco Prime LAN Management Solution could allow an authenticated, remote attacker to hijack another user's administrative session, aka a Session Fixation Vulnerability. The vulnerability is due to the reuse of a preauthentication session token as part of the postauthentication session. An attacker could exploit this vulnerability by obtaining the presession token ID. An exploit could allow an attacker to hijack an existing user's session. Known Affected Releases 4.2(5). Cisco Bug IDs: CSCvf58392. | |||||
CVE-2016-9981 | 1 Ibm | 1 Security Appscan | 2024-02-28 | 6.8 MEDIUM | 8.1 HIGH |
IBM AppScan Enterprise Edition 9.0 contains an unspecified vulnerability that could allow an attacker to hijack a valid user's session. IBM X-Force ID: 120257 | |||||
CVE-2017-11562 | 1 Mt4 | 1 Senhasegura | 2024-02-28 | 6.8 MEDIUM | 8.8 HIGH |
A Session Fixation Vulnerability exists in the MT4 Networks SenhaSegura Web Application 2.2.23.8 via login_if.php. | |||||
CVE-2017-14263 | 1 Honeywell | 14 Enterprise Dvr, Enterprise Dvr Firmware, Fusion Iv Rev C and 11 more | 2024-02-28 | 9.3 HIGH | 8.1 HIGH |
Honeywell NVR devices allow remote attackers to create a user account in the admin group by leveraging access to a guest account to obtain a session ID, and then sending that session ID in a userManager.addUser request to the /RPC2 URI. The attacker can login to the device with that new user account to fully control the device. | |||||
CVE-2017-12873 | 2 Debian, Simplesamlphp | 2 Debian Linux, Simplesamlphp | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured. | |||||
CVE-2017-5141 | 1 Honeywell | 1 Xl Web Ii Controller | 2024-02-28 | 6.5 MEDIUM | 6.0 MEDIUM |
An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior. An attacker can establish a new user session, without invalidating any existing session identifier, which gives the opportunity to steal authenticated sessions (SESSION FIXATION). | |||||
CVE-2016-6040 | 1 Ibm | 1 Rational Collaborative Lifecycle Management | 2024-02-28 | 6.0 MEDIUM | 5.0 MEDIUM |
IBM Jazz Foundation could allow an authenticated user to take over a previously logged in user due to session expiration not being enforced. | |||||
CVE-2017-0892 | 1 Nextcloud | 1 Nextcloud Server | 2024-02-28 | 4.3 MEDIUM | 3.5 LOW |
Nextcloud Server before 11.0.3 is vulnerable to an improper session handling allowed an application specific password without permission to the files access to the users file. | |||||
CVE-2017-6412 | 1 Sophos | 1 Web Appliance | 2024-02-28 | 6.8 MEDIUM | 8.1 HIGH |
In Sophos Web Appliance (SWA) before 4.3.1.2, Session Fixation could occur, aka NSWA-1310. | |||||
CVE-2017-5831 | 1 Revive-adserver | 1 Revive Adserver | 2024-02-28 | 5.5 MEDIUM | 5.9 MEDIUM |
Session fixation vulnerability in the forgot password mechanism in Revive Adserver before 4.0.1, when setting a new password, allows remote attackers to hijack web sessions via the session ID. | |||||
CVE-2016-0721 | 3 Clusterlabs, Fedoraproject, Redhat | 3 Pcs, Fedora, Enterprise Linux | 2024-02-28 | 4.3 MEDIUM | 8.1 HIGH |
Session fixation vulnerability in pcsd in pcs before 0.9.157. | |||||
CVE-2017-1152 | 1 Ibm | 1 Financial Transaction Manager | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
IBM Financial Transaction Manager 3.0.1 and 3.0.2 does not properly update the SESSIONID with each request, which could allow a user to obtain the ID in further attacks against the system. IBM X-Force ID: 122293. | |||||
CVE-2017-5656 | 1 Apache | 1 Cxf | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user. | |||||
CVE-2016-9125 | 1 Revive-adserver | 1 Revive Adserver | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Revive Adserver before 3.2.3 suffers from session fixation, by allowing arbitrary session identifiers to be forced and, at the same time, by not invalidating the existing session upon a successful authentication. Under some circumstances, that could have been an opportunity for an attacker to steal an authenticated session. | |||||
CVE-2016-9703 | 1 Ibm | 1 Security Identity Manager Virtual Appliance | 2024-02-28 | 2.1 LOW | 2.4 LOW |
IBM Security Identity Manager Virtual Appliance does not invalidate session tokens which could allow an unauthorized user with physical access to the work station to obtain sensitive information. | |||||
CVE-2017-4014 | 1 Mcafee | 1 Network Data Loss Prevention | 2024-02-28 | 6.0 MEDIUM | 8.0 HIGH |
Session Side jacking vulnerability in the server in McAfee Network Data Loss Prevention (NDLP) 9.3.x allows remote authenticated users to view, add, and remove users via modification of the HTTP request. | |||||
CVE-2016-6043 | 1 Ibm | 1 Tivoli Storage Manager | 2024-02-28 | 4.4 MEDIUM | 7.0 HIGH |
Tivoli Storage Manager Operations Center could allow a local user to take over a previously logged in user due to session expiration not being enforced. |