Total
287 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-30769 | 1 Zoneminder | 1 Zoneminder | 2024-02-28 | N/A | 4.6 MEDIUM |
Session fixation exists in ZoneMinder through 1.36.12 as an attacker can poison a session cookie to the next logged-in user. | |||||
CVE-2022-38369 | 1 Apache | 1 Iotdb | 2024-02-28 | N/A | 8.8 HIGH |
Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should upgrade to version 0.13.1 which addresses this issue. | |||||
CVE-2022-43398 | 1 Siemens | 4 7kg9501-0aa01-2aa1, 7kg9501-0aa01-2aa1 Firmware, 7kg9501-0aa31-2aa1 and 1 more | 2024-02-28 | N/A | 8.8 HIGH |
A vulnerability has been identified in POWER METER SICAM Q100 (All versions < V2.50), POWER METER SICAM Q100 (All versions < V2.50), POWER METER SICAM Q100 (All versions < V2.50), POWER METER SICAM Q100 (All versions < V2.50). Affected devices do not renew the session cookie after login/logout and also accept user defined session cookies. An attacker could overwrite the stored session cookie of a user. After the victim logged in, the attacker is given access to the user's account through the activated session. | |||||
CVE-2021-46279 | 1 Lannerinc | 2 Iac-ast2500a, Iac-ast2500a Firmware | 2024-02-28 | N/A | 8.8 HIGH |
Session fixation and insufficient session expiration vulnerabilities allow an attacker to perfom session hijacking attacks against users. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0. | |||||
CVE-2022-43687 | 1 Concretecms | 1 Concrete Cms | 2024-02-28 | N/A | 5.4 MEDIUM |
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | |||||
CVE-2022-44007 | 1 Backclick | 1 Backclick | 2024-02-28 | N/A | 8.8 HIGH |
An issue was discovered in BACKCLICK Professional 5.9.63. Due to an unsafe implementation of session tracking, it is possible for an attacker to trick users into opening an authenticated user session for a session identifier known to the attacker, aka Session Fixation. | |||||
CVE-2022-30605 | 1 Wwbn | 1 Avideo | 2024-02-28 | N/A | 8.8 HIGH |
A privilege escalation vulnerability exists in the session id functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to increased privileges. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability. | |||||
CVE-2022-34334 | 1 Ibm | 1 Sterling Partner Engagement Manager | 2024-02-28 | N/A | 6.5 MEDIUM |
IBM Sterling Partner Engagement Manager 2.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 229704. | |||||
CVE-2022-40293 | 1 Phppointofsale | 1 Php Point Of Sale | 2024-02-28 | N/A | 9.8 CRITICAL |
The application was vulnerable to a session fixation that could be used hijack accounts. | |||||
CVE-2022-27305 | 1 Gibbonedu | 1 Gibbon | 2024-02-28 | 6.8 MEDIUM | 8.8 HIGH |
Gibbon v23 does not generate a new session ID cookie after a user authenticates, making the application vulnerable to session fixation. | |||||
CVE-2022-24444 | 1 Silverstripe | 1 Silverstripe | 2024-02-28 | 6.4 MEDIUM | 6.5 MEDIUM |
Silverstripe silverstripe/framework through 4.10 allows Session Fixation. | |||||
CVE-2022-24781 | 1 Geon Project | 1 Geon | 2024-02-28 | 5.5 MEDIUM | 7.1 HIGH |
Geon is a board game based on solving questions about the Pythagorean Theorem. Malicious users can obtain the uuid from other users, spoof that uuid through the browser console and become co-owners of the target session. This issue is patched in version 1.1.0. No known workaround exists. | |||||
CVE-2022-26591 | 1 Fantec | 2 Mwid25-ds, Mwid25-ds Firmware | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
FANTEC GmbH MWiD25-DS Firmware v2.000.030 allows unauthenticated attackers to access and download arbitrary files via a crafted GET request. | |||||
CVE-2022-24745 | 1 Shopware | 1 Shopware | 2024-02-28 | 5.8 MEDIUM | 6.5 MEDIUM |
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions guest sessions are shared between customers when HTTP cache is enabled. This can lead to inconsistent experiences for guest users. Setups with Varnish are not affected by this issue. This issue has been resolved in version 6.4.8.2. Users unable to upgrade should disable the HTTP Cache. | |||||
CVE-2022-1849 | 1 Filegator | 1 Filegator | 2024-02-28 | 5.5 MEDIUM | 5.4 MEDIUM |
Session Fixation in GitHub repository filegator/filegator prior to 7.8.0. | |||||
CVE-2020-25152 | 1 Bbraun | 2 Datamodule Compactplus, Spacecom | 2024-02-28 | 5.8 MEDIUM | 8.1 HIGH |
A session fixation vulnerability in the B. Braun Melsungen AG SpaceCom administrative interface Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to hijack web sessions and escalate privileges. | |||||
CVE-2021-38869 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
IBM QRadar SIEM 7.3, 7.4, and 7.5 in some situations may not automatically log users out after they exceede their idle timeout. IBM X-Force ID: 208341. | |||||
CVE-2021-39066 | 1 Ibm | 1 Financial Transaction Manager | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
IBM Financial Transaction Manager 3.2.4 does not invalidate session any existing session identifier gives an attacker the opportunity to steal authenticated sessions. IBM X-Force ID: 215040. | |||||
CVE-2021-42073 | 1 Barrier Project | 1 Barrier | 2024-02-28 | 5.8 MEDIUM | 8.2 HIGH |
An issue was discovered in Barrier before 2.4.0. An attacker can enter an active session state with the barriers component (aka the server-side implementation of Barrier) simply by supplying a client label that identifies a valid client configuration. This label is "Unnamed" by default but could instead be guessed from hostnames or other publicly available information. In the active session state, an attacker can capture input device events from the server, and also modify the clipboard content on the server. | |||||
CVE-2021-41246 | 1 Auth0 | 1 Express Openid Connect | 2024-02-28 | 6.8 MEDIUM | 8.8 HIGH |
Express OpenID Connect is express JS middleware implementing sign on for Express web apps using OpenID Connect. Versions before and including `2.5.1` do not regenerate the session id and session cookie when user logs in. This behavior opens up the application to various session fixation vulnerabilities. Versions `2.5.2` contains a patch for this issue. |