Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:C/RE:L/U:Amber
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:C/RE:L/U:Amber
Lifecycle Timeline
3DescriptionCVE.org
Session Fixation vulnerability allows Session Hijacking via crafted session ID. This issue affects Pandora FMS: from 777 through 800
AnalysisAI
Session fixation in Pandora FMS versions 777-800 enables session hijacking when attackers supply crafted session IDs to users. Successful exploitation grants attackers complete access to victim user sessions with high confidentiality and integrity impact. No public exploit code identified at time of analysis, though attack complexity is low with network-based delivery requiring only user interaction (CVSS 7.6).
Technical ContextAI
Session fixation (CWE-384) occurs when an application accepts externally-supplied session identifiers without proper regeneration upon authentication. In Pandora FMS - an open-source network monitoring platform - versions 777 through 800 fail to regenerate session tokens after login, allowing attackers to pre-set session IDs. The CVSS 4.0 vector shows network attack vector (AV:N), low complexity (AC:L), present attack requirements (AT:P), and required user interaction (UI:P), indicating the application accepts session IDs from URL parameters or cookies without validation. The affected CPE (cpe:2.3:a:pandora_fms:pandora_fms) confirms this targets the core Pandora FMS application across the specified version range.
RemediationAI
Upgrade Pandora FMS to version 801 or later, which presumably addresses the session fixation vulnerability (version inferred from 'through 800' statement - exact patched version not independently confirmed in provided data). Consult the Pandora FMS security advisory at https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ for official upgrade instructions and release notes. If immediate patching is infeasible, implement compensating controls: configure web application firewall rules to block session ID parameters in URLs (sid, sessionid, PHPSESSID patterns), enforce session regeneration through reverse proxy layer using mod_session or equivalent, and restrict Pandora FMS access to trusted networks via IP allowlisting. Note these mitigations reduce but do not eliminate risk, as cookie-based fixation may still be possible. Enable HTTP Strict Transport Security and secure cookie flags (HttpOnly, Secure, SameSite=Strict) to limit session token leakage vectors. Monitor authentication logs for suspicious session activity patterns such as session reuse across disparate IP addresses.
More in Session Fixation
View allSession fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID pa
Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session
Tiny File Manager v2.4.7 and below is vulnerable to session fixation. Rated critical severity (CVSS 9.8), this vulnerabi
A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /login
Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492 is vulnerable to Session Fixation. Rated criti
An issue in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to exe
A privilege escalation issue was found in PHP Gurukul Hospital Management System In v.4.0 allows a remote attacker to ex
Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7. Rated critical severity (CVSS 9.8), this vulnerab
Certain NetModule devices allow Limited Session Fixation via PHPSESSID. Rated critical severity (CVSS 9.8), this vulnera
An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Rated critical severity (CVSS 9.8), this v
clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests be
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." s
Same weakness CWE-384 – Session Fixation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29496
GHSA-j2qp-cx58-m78p