Monthly
Session fixation in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 enables unauthenticated remote attackers to hijack user sessions via main/lp/aicc_hacp.php. User-controlled request parameters directly manipulate PHP session IDs before application bootstrap, allowing attackers to force victims into attacker-controlled sessions. Successful exploitation grants high-severity access to confidential data and platform integrity. No public exploit identified at time of analysis.
Session hijacking in the Model Context Protocol Ruby SDK (mcp gem) allows attackers to intercept Server-Sent Events streams by reusing valid session identifiers. The streamable_http_transport.rb implementation overwrites existing SSE stream objects when a duplicate session ID connects, silently disconnecting legitimate users and redirecting all tool responses and real-time data to the attacker. A proof-of-concept demonstration has been provided showing successful stream hijacking, where the attacker receives confidential tool call responses intended for the victim. Patch available per vendor advisory (release v0.9.2 per references).
Bludit versions prior to 3.17.2 allow attackers to fix a victim's session identifier before authentication, with the session ID persisting unchanged after successful login, enabling authenticated session hijacking via session fixation. The vulnerability affects all Bludit instances below version 3.17.2 and requires local access and user interaction to exploit. No public exploit code or active exploitation has been identified at the time of analysis, though the session fixation mechanism poses a moderate risk in multi-user or shared-access environments.
OpenBao JWT/OIDC authentication with direct callback mode allows remote phishing attacks where attackers can hijack user sessions without confirmation prompts, affecting installations using the direct callback_mode configuration. The vulnerability stems from lack of user interaction requirements during authorization code flow authentication, enabling session fixation attacks where victims visiting attacker-controlled URLs automatically authenticate into the attacker's session. No public exploit identified at time of analysis, though the attack vector is network-based with low complexity requiring only user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:R). Vendor-released patch: version 2.5.2.
HCL Aftermarket DPC versions up to 1.0.0 are vulnerable to session fixation attacks that enable attackers to hijack user sessions and perform unauthorized transactions without requiring valid credentials. The vulnerability exploits improper session management to allow an attacker to force a victim to use a predetermined session identifier, then leverage that session for fraudulent activity. This is a network-accessible flaw requiring user interaction (e.g., clicking a malicious link) but no prior authentication. No public exploit code or active exploitation has been identified at the time of analysis.
AVideo, an open-source video platform, contains a session fixation vulnerability that allows attackers to hijack user sessions and achieve full account takeover. The flaw affects the AVideo Composer package (pkg:composer/wwbn_avideo) and stems from accepting arbitrary session IDs via URL parameters, bypassing session regeneration for specific endpoints, and disabled session regeneration during login. A public proof-of-concept exploit is available in the GitHub security advisory, and the vulnerability requires only low privileges (authenticated attacker) and user interaction (victim clicking a malicious link), making it highly exploitable.
ScadaBR 1.12.4 is vulnerable to Session Fixation. The application assigns a JSESSIONID session cookie to unauthenticated users and does not regenerate the session identifier after successful authentication. [CVSS 4.8 MEDIUM]
OliveTin prior to version 3000.11.1 fails to invalidate server-side sessions upon user logout, allowing attackers with a stolen session cookie to maintain authenticated access even after the legitimate user logs out. The vulnerability persists because browser cookies are cleared while the corresponding server session remains valid for approximately one year by default. Public exploit code exists for this session management bypass.
Session fixation vulnerability in PluXml CMS allows attackers to set session identifiers before authentication, enabling session hijacking after the victim logs in.
SourceCodester Prison Management System 1.0 contains a session fixation vulnerability in its login component that allows unauthenticated remote attackers to hijack user sessions. Public exploit code exists for this vulnerability, which enables attackers to impersonate legitimate users and gain unauthorized access to the system. No patch is currently available.
Session fixation in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 enables unauthenticated remote attackers to hijack user sessions via main/lp/aicc_hacp.php. User-controlled request parameters directly manipulate PHP session IDs before application bootstrap, allowing attackers to force victims into attacker-controlled sessions. Successful exploitation grants high-severity access to confidential data and platform integrity. No public exploit identified at time of analysis.
Session hijacking in the Model Context Protocol Ruby SDK (mcp gem) allows attackers to intercept Server-Sent Events streams by reusing valid session identifiers. The streamable_http_transport.rb implementation overwrites existing SSE stream objects when a duplicate session ID connects, silently disconnecting legitimate users and redirecting all tool responses and real-time data to the attacker. A proof-of-concept demonstration has been provided showing successful stream hijacking, where the attacker receives confidential tool call responses intended for the victim. Patch available per vendor advisory (release v0.9.2 per references).
Bludit versions prior to 3.17.2 allow attackers to fix a victim's session identifier before authentication, with the session ID persisting unchanged after successful login, enabling authenticated session hijacking via session fixation. The vulnerability affects all Bludit instances below version 3.17.2 and requires local access and user interaction to exploit. No public exploit code or active exploitation has been identified at the time of analysis, though the session fixation mechanism poses a moderate risk in multi-user or shared-access environments.
OpenBao JWT/OIDC authentication with direct callback mode allows remote phishing attacks where attackers can hijack user sessions without confirmation prompts, affecting installations using the direct callback_mode configuration. The vulnerability stems from lack of user interaction requirements during authorization code flow authentication, enabling session fixation attacks where victims visiting attacker-controlled URLs automatically authenticate into the attacker's session. No public exploit identified at time of analysis, though the attack vector is network-based with low complexity requiring only user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:R). Vendor-released patch: version 2.5.2.
HCL Aftermarket DPC versions up to 1.0.0 are vulnerable to session fixation attacks that enable attackers to hijack user sessions and perform unauthorized transactions without requiring valid credentials. The vulnerability exploits improper session management to allow an attacker to force a victim to use a predetermined session identifier, then leverage that session for fraudulent activity. This is a network-accessible flaw requiring user interaction (e.g., clicking a malicious link) but no prior authentication. No public exploit code or active exploitation has been identified at the time of analysis.
AVideo, an open-source video platform, contains a session fixation vulnerability that allows attackers to hijack user sessions and achieve full account takeover. The flaw affects the AVideo Composer package (pkg:composer/wwbn_avideo) and stems from accepting arbitrary session IDs via URL parameters, bypassing session regeneration for specific endpoints, and disabled session regeneration during login. A public proof-of-concept exploit is available in the GitHub security advisory, and the vulnerability requires only low privileges (authenticated attacker) and user interaction (victim clicking a malicious link), making it highly exploitable.
ScadaBR 1.12.4 is vulnerable to Session Fixation. The application assigns a JSESSIONID session cookie to unauthenticated users and does not regenerate the session identifier after successful authentication. [CVSS 4.8 MEDIUM]
OliveTin prior to version 3000.11.1 fails to invalidate server-side sessions upon user logout, allowing attackers with a stolen session cookie to maintain authenticated access even after the legitimate user logs out. The vulnerability persists because browser cookies are cleared while the corresponding server session remains valid for approximately one year by default. Public exploit code exists for this session management bypass.
Session fixation vulnerability in PluXml CMS allows attackers to set session identifiers before authentication, enabling session hijacking after the victim logs in.
SourceCodester Prison Management System 1.0 contains a session fixation vulnerability in its login component that allows unauthenticated remote attackers to hijack user sessions. Public exploit code exists for this vulnerability, which enables attackers to impersonate legitimate users and gain unauthorized access to the system. No patch is currently available.