Total
298 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-31745 | 1 Pluck-cms | 1 Pluck | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Session Fixation vulnerability in login.php in Pluck-CMS Pluck 4.7.15 allows an attacker to sustain unauthorized access to the platform. Because Pluck does not invalidate prior sessions after a password change, access can be sustained even after an administrator performs regular remediation attempts such as resetting their password. | |||||
| CVE-2021-2351 | 1 Oracle | 111 Advanced Networking Option, Agile Engineering Data Management, Agile Plm and 108 more | 2024-11-21 | 5.1 MEDIUM | 8.3 HIGH |
| Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Advanced Networking Option. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Advanced Networking Option, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Advanced Networking Option. Note: The July 2021 Critical Patch Update introduces a number of Native Network Encryption changes to deal with vulnerability CVE-2021-2351 and prevent the use of weaker ciphers. Customers should review: "Changes in Native Network Encryption with the July 2021 Critical Patch Update" (Doc ID 2791571.1). CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). | |||||
| CVE-2021-29368 | 1 Cuppacms | 1 Cuppacms | 2024-11-21 | N/A | 8.8 HIGH |
| Session fixation vulnerability in CuppaCMS thru commit 4c9b742b23b924cf4c1f943f48b278e06a17e297 on November 12, 2019 allows attackers to gain access to arbitrary user sessions. | |||||
| CVE-2021-22927 | 1 Citrix | 16 Application Delivery Controller, Application Delivery Controller Firmware, Gateway and 13 more | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
| A session fixation vulnerability exists in Citrix ADC and Citrix Gateway 13.0-82.45 when configured SAML service provider that could allow an attacker to hijack a session. | |||||
| CVE-2021-22237 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 6.6 MEDIUM |
| Under specialized conditions, GitLab may allow a user with an impersonation token to perform Git actions even if impersonation is disabled. This vulnerability is present in GitLab CE/EE versions before 13.12.9, 14.0.7, 14.1.2 | |||||
| CVE-2021-20151 | 1 Trendnet | 2 Tew-827dru, Tew-827dru Firmware | 2024-11-21 | 7.5 HIGH | 10.0 CRITICAL |
| Trendnet AC2600 TEW-827DRU version 2.08B01 contains a flaw in the session management for the device. The router's management software manages web sessions based on IP address rather than verifying client cookies/session tokens/etc. This allows an attacker (whether from a different computer, different web browser on the same machine, etc.) to take over an existing session. This does require the attacker to be able to spoof or take over original IP address of the original user's session. | |||||
| CVE-2020-9370 | 1 Humaxdigital | 2 Hga12r-02, Hga12r-02 Firmware | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| HUMAX HGA12R-02 BRGCAA 1.1.53 devices allow Session Hijacking. | |||||
| CVE-2020-8990 | 1 Western Digital | 2 Ibi, My Cloud Home | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| Western Digital My Cloud Home before 3.6.0 and ibi before 3.6.0 allow Session Fixation. | |||||
| CVE-2020-8826 | 1 Argoproj | 1 Argo Cd | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication tokens, once issued, were usable forever without expiration—there was no refresh or forced re-authentication. | |||||
| CVE-2020-8434 | 1 Jenzabar | 1 Internet Campus Solution | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| Jenzabar JICS (aka Internet Campus Solution) before 9.0.1 Patch 3, 9.1 before 9.1.2 Patch 2, and 9.2 before 9.2.2 Patch 8 has session cookies that are a deterministic function of the username. There is a hard-coded password to supply a PBKDF feeding into AES to encrypt a username and base64 encode it to a client-side cookie for persistent session authentication. By knowing the key and algorithm, an attacker can select any username, encrypt it, base64 encode it, and save it in their browser with the correct JICSLoginCookie cookie format to impersonate any real user in the JICS database without the need for authenticating (or verifying with MFA if implemented). | |||||
| CVE-2020-6824 | 1 Mozilla | 1 Firefox | 2024-11-21 | 1.9 LOW | 2.8 LOW |
| Initially, a user opens a Private Browsing Window and generates a password for a site, then closes the Private Browsing Window but leaves Firefox open. Subsequently, if the user had opened a new Private Browsing Window, revisited the same site, and generated a new password - the generated passwords would have been identical, rather than independent. This vulnerability affects Firefox < 75. | |||||
| CVE-2020-6290 | 1 Sap | 1 Disclosure Management | 2024-11-21 | 6.8 MEDIUM | 6.3 MEDIUM |
| SAP Disclosure Management, version 10.1, is vulnerable to Session Fixation attacks wherein the attacker tricks the user into using a specific session ID. | |||||
| CVE-2020-5894 | 1 F5 | 1 Nginx Controller | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
| On versions 3.0.0-3.3.0, the NGINX Controller webserver does not invalidate the server-side session token after users log out. | |||||
| CVE-2020-5654 | 1 Mitsubishielectric | 10 Melsec Iq-rd81dl96, Melsec Iq-rd81dl96 Firmware, Melsec Iq-rd81mes96n and 7 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Session fixation vulnerability in TCP/IP function included in the firmware of MELSEC iQ-R series (RJ71EIP91 EtherNet/IP Network Interface Module First 2 digits of serial number are '02' or before, RJ71PN92 PROFINET IO Controller Module First 2 digits of serial number are '01' or before, RD81DL96 High Speed Data Logger Module First 2 digits of serial number are '08' or before, RD81MES96N MES Interface Module First 2 digits of serial number are '04' or before, and RD81OPC96 OPC UA Server Module First 2 digits of serial number are '04' or before) allows a remote unauthenticated attacker to stop the network functions of the products via a specially crafted packet. | |||||
| CVE-2020-5645 | 1 Mitsubishielectric | 6 Coreos, Gt1450-qlbde, Gt1450-qmbde and 3 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Session fixation vulnerability in TCP/IP function included in the firmware of GT14 Model of GOT 1000 series (GT1455-QTBDE CoreOS version "05.65.00.BD" and earlier, GT1450-QMBDE CoreOS version "05.65.00.BD" and earlier, GT1450-QLBDE CoreOS version "05.65.00.BD" and earlier, GT1455HS-QTBDE CoreOS version "05.65.00.BD" and earlier, and GT1450HS-QMBDE CoreOS version "05.65.00.BD" and earlier) allows a remote unauthenticated attacker to stop the network functions of the products via a specially crafted packet. | |||||
| CVE-2020-5596 | 1 Mitsubishielectric | 4 Coreos, Got2000 Gt23, Got2000 Gt25 and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) does not properly manage sessions, which may allow a remote attacker to stop the network functions of the products or execute a malicious program via a specially crafted packet. | |||||
| CVE-2020-5550 | 1 Plathome | 4 Easyblocks Ipv6, Easyblocks Ipv6 Enterprise, Easyblocks Ipv6 Enterprise Firmware and 1 more | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
| Session fixation vulnerability in EasyBlocks IPv6 Ver. 2.0.1 and earlier, and Enterprise Ver. 2.0.1 and earlier allows remote attackers to impersonate a registered user and log in the management console, that may result in information alteration/disclosure via unspecified vectors. | |||||
| CVE-2020-5543 | 1 Mitsubishielectric | 2 Iu1-1m20-d, Iu1-1m20-d Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier does not properly manage sessions, which allows remote attackers to stop the network functions or execute malware via a specially crafted packet. | |||||
| CVE-2020-5290 | 1 Ctfd | 1 Rctf | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| In RedpwnCTF before version 2.3, there is a session fixation vulnerability in exploitable through the `#token=$ssid` hash when making a request to the `/verify` endpoint. An attacker team could potentially steal flags by, for example, exploiting a stored XSS payload in a CTF challenge so that victim teams who solve the challenge are unknowingly (and against their will) signed into the attacker team's account. Then, the attacker can gain points / value off the backs of the victims. This is patched in version 2.3. | |||||
| CVE-2020-5205 | 1 Powauth | 1 Pow | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
| In Pow (Hex package) before 1.0.16, the use of Plug.Session in Pow.Plug.Session is susceptible to session fixation attacks if a persistent session store is used for Plug.Session, such as Redis or a database. Cookie store, which is used in most Phoenix apps, doesn't have this vulnerability. | |||||