Total
298 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-5021 | 2 Ibm, Linux | 2 Spectrum Protect Plus, Linux Kernel | 2024-11-21 | 3.6 LOW | 4.4 MEDIUM |
| IBM Spectrum Protect Plus 10.1.0 through 10.1.6 does not invalidate session after a password reset which could allow a local user to impersonate another user on the system. IBM X-Force ID: 193657. | |||||
| CVE-2020-4954 | 1 Ibm | 1 Spectrum Protect Operations Center | 2024-11-21 | 4.8 MEDIUM | 5.4 MEDIUM |
| IBM Spectrum Protect Operations Center 7.1 and 8.1 could allow a remote attacker to bypass authentication restrictions, caused by improper session validation . By using the configuration panel to obtain a valid session using an attacker controlled IBM Spectrum Protect server, an attacker could exploit this vulnerability to bypass authentication and gain access to a limited number of debug functions, such as logging levels. IBM X-Force ID: 192153. | |||||
| CVE-2020-4555 | 1 Ibm | 1 Financial Transaction Manager | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
| IBM Financial Transaction Manager 3.0.6 and 3.1.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 183328. | |||||
| CVE-2020-4527 | 1 Ibm | 1 Planning Analytics | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| IBM Planning Analytics 2.0 could allow a remote attacker to obtain sensitive information, caused by the failure to set the Secure flag for the session cookie in TLS mode. By intercepting its transmission within an HTTP session, an attacker could exploit this vulnerability to capture the cookie and obtain sensitive information. IBM X-Force ID: 182631. | |||||
| CVE-2020-4291 | 1 Ibm | 1 Security Information Queue | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could disclose sensitive information to an unauthorized user due to insufficient timeout functionality in the Web UI. IBM X-Force ID: 176334. | |||||
| CVE-2020-4243 | 1 Ibm | 1 Security Identity Governance And Intelligence | 2024-11-21 | 4.3 MEDIUM | 3.7 LOW |
| IBM Security Identity Governance and Intelligence 5.2.6 Virtual Appliance could allow a remote attacker to obtain sensitive information using man in the middle techniques due to not properly invalidating session tokens. IBM X-Force ID: 175420. | |||||
| CVE-2020-4229 | 1 Ibm | 1 Mobile Foundation | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
| IBM Worklight/MobileFoundation 8.0.0.0 does not properly invalidate session cookies when a user logs out of a session, which could allow another user to gain unauthorized access to a user's session. IBM X-Force ID: 175211. | |||||
| CVE-2020-35591 | 1 Pi-hole | 1 Pi-hole | 2024-11-21 | 5.8 MEDIUM | 5.4 MEDIUM |
| Pi-hole 5.0, 5.1, and 5.1.1 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in, the injected cookie becomes valid, giving the attacker access to the user's account through the active session. | |||||
| CVE-2020-35229 | 1 Netgear | 4 Gs116e, Gs116e Firmware, Jgs516pe and 1 more | 2024-11-21 | 5.8 MEDIUM | 8.8 HIGH |
| The authentication token required to execute NSDP write requests on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices is not properly invalidated and can be reused until a new token is generated, which allows attackers (with access to network traffic) to effectively gain administrative privileges. | |||||
| CVE-2020-25198 | 1 Moxa | 2 Nport Iaw5000a-i\/o, Nport Iaw5000a-i\/o Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower has incorrectly implemented protections from session fixation, which may allow an attacker to gain access to a session and hijack it by stealing the user’s cookies. | |||||
| CVE-2020-25152 | 1 Bbraun | 2 Datamodule Compactplus, Spacecom | 2024-11-21 | 5.8 MEDIUM | 6.5 MEDIUM |
| A session fixation vulnerability in the B. Braun Melsungen AG SpaceCom administrative interface Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows remote attackers to hijack web sessions and escalate privileges. | |||||
| CVE-2020-1993 | 1 Paloaltonetworks | 1 Pan-os | 2024-11-21 | 5.5 MEDIUM | 3.7 LOW |
| The GlobalProtect Portal feature in PAN-OS does not set a new session identifier after a successful user login, which allows session fixation attacks, if an attacker is able to control a user's session ID. This issue affects: All PAN-OS 7.1 and 8.0 versions; PAN-OS 8.1 versions earlier than 8.1.14; PAN-OS 9.0 versions earlier than 9.0.8. | |||||
| CVE-2020-1762 | 2 Kiali, Redhat | 2 Kiali, Openshift Service Mesh | 2024-11-21 | 7.5 HIGH | 7.0 HIGH |
| An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to view and alter the Istio configuration. | |||||
| CVE-2020-15909 | 1 Solarwinds | 1 N-central | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| SolarWinds N-central through 2020.1 allows session hijacking and requires user interaction or physical access. The N-Central JSESSIONID cookie attribute is not checked against multiple sources such as sourceip, MFA claim, etc. as long as the victim stays logged in within N-Central. To take advantage of this, cookie could be stolen and the JSESSIONID can be captured. On its own this is not a surprising result; low security tools allow the cookie to roam from machine to machine. The JSESSION cookie can then be used on the attackers’ workstation by browsing to the victim’s NCentral server URL and replacing the JSESSIONID attribute value by the captured value. Expected behavior would be to check this against a second source and enforce at least a reauthentication or multi factor request as N-Central is a highly privileged service. | |||||
| CVE-2020-15679 | 1 Mozilla | 1 Vpn | 2024-11-21 | N/A | 7.6 HIGH |
| An OAuth session fixation vulnerability existed in the VPN login flow, where an attacker could craft a custom login URL, convince a VPN user to login via that URL, and obtain authenticated access as that user. This issue is limited to cases where attacker and victim are sharing the same source IP and could allow the ability to view session states and disconnect VPN sessions. This vulnerability affects Mozilla VPN iOS 1.0.7 < (929), Mozilla VPN Windows < 1.2.2, and Mozilla VPN Android 1.1.0 < (1360). | |||||
| CVE-2020-15018 | 1 Playsms | 1 Playsms | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
| playSMS through 1.4.3 is vulnerable to session fixation. | |||||
| CVE-2020-13229 | 1 Sysax | 1 Multi Server | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Sysax Multi Server 6.90. A session can be hijacked if one observes the sid value in any /scgi URI, because it is an authentication token. | |||||
| CVE-2020-12467 | 1 Intelliants | 1 Subrion | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
| Subrion CMS 4.2.1 allows session fixation via an alphanumeric value in a session cookie. | |||||
| CVE-2020-12258 | 1 Rconfig | 1 Rconfig | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| rConfig 3.9.4 is vulnerable to session fixation because session expiry and randomization are mishandled. The application can reuse a session via PHPSESSID. Also, an attacker can exploit this vulnerability in conjunction with CVE-2020-12256 or CVE-2020-12259. | |||||
| CVE-2020-11729 | 2 Davical, Debian | 2 Andrew\'s Web Libraries, Debian Linux | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Long-term session cookies, uses to provide long-term session continuity, are not generated securely, enabling a brute-force attack that may be successful. | |||||