Skip to main content

Session Fixation EUVDEUVD-2025-209085

| CVE-2025-55264 MEDIUM
Insufficient Session Expiration (CWE-613)
2026-03-26 HCL GHSA-m87p-2jxv-5xfp
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 26, 2026 - 13:45 euvd
EUVD-2025-209085
Analysis Generated
Mar 26, 2026 - 13:45 vuln.today
CVE Published
Mar 26, 2026 - 13:04 nvd
MEDIUM 5.5

DescriptionCVE.org

HCL Aftermarket DPC is affected by Failure to Invalidate Session on Password Change will allow attacker to access to a session, then they can maintain control over the account despite the password change leading to account takeover.

AnalysisAI

Session invalidation failure in HCL Aftermarket DPC versions up to 1.0.0 allows authenticated attackers to maintain active sessions after a password change, enabling persistent account takeover. An attacker who gains initial session access can continue to operate under a compromised account identity even after the victim resets their password, as the application fails to terminate pre-existing sessions upon credential modification. No public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

The vulnerability stems from a session management implementation flaw classified under CWE-613 (Insufficient Session Expiration), where HCL Aftermarket DPC does not properly invalidate active HTTP sessions when a user changes their password. The affected product is identified via CPE cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*. Session tokens or cookies remain valid post-password-change because the application lacks server-side session lifecycle management tied to authentication credential events. This allows a threat actor with an existing authenticated session (established through credential compromise, phishing, or other means) to bypass the user's defensive action of password reset, maintaining unauthorized access to the account and its associated resources.

RemediationAI

Apply the security patch from HCL as described in their official advisory (https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793). The patch should address session invalidation logic to ensure all active sessions are terminated when a password change event occurs. Until patching is possible, mitigate by enforcing periodic session timeout policies (e.g., 30-60 minute inactivity windows) at the application level, implementing IP-based session pinning where feasible to detect session hijacking, and monitoring account activity logs for unexpected concurrent sessions. Additionally, require users to log out from all devices after a password change and implement multi-factor authentication (MFA) to add a second factor of control beyond session tokens.

CVE-2017-12965 CRITICAL POC
9.8 Aug 23

Session fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID pa

CVE-2025-28242 CRITICAL POC
9.8 Apr 18

Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session

CVE-2022-40916 CRITICAL POC
9.8 Feb 06

Tiny File Manager v2.4.7 and below is vulnerable to session fixation. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2025-45949 CRITICAL POC
9.8 Apr 28

A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /login

CVE-2023-48929 CRITICAL POC
9.8 Dec 08

Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492 is vulnerable to Session Fixation. Rated criti

CVE-2023-41012 CRITICAL POC
9.8 Sep 05

An issue in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to exe

CVE-2023-31498 CRITICAL POC
9.8 May 11

A privilege escalation issue was found in PHP Gurukul Hospital Management System In v.4.0 allows a remote attacker to ex

CVE-2022-3269 CRITICAL POC
9.8 Sep 23

Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7. Rated critical severity (CVSS 9.8), this vulnerab

CVE-2021-39290 CRITICAL POC
9.8 Aug 23

Certain NetModule devices allow Limited Session Fixation via PHPSESSID. Rated critical severity (CVSS 9.8), this vulnera

CVE-2020-11729 CRITICAL POC
9.8 Apr 15

An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Rated critical severity (CVSS 9.8), this v

CVE-2019-18418 CRITICAL POC
9.8 Oct 24

clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests be

CVE-2018-18925 CRITICAL POC
9.8 Nov 04

Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." s

Share

EUVD-2025-209085 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy