Skip to main content

Session Fixation

295 CVEs product

Monthly

CVE-2023-44400 npm HIGH POC PATCH This Week

Uptime Kuma is a self-hosted monitoring tool. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Information Disclosure Session Fixation Uptime Kuma
NVD GitHub
CVSS 3.1
7.8
EPSS
0.3%
CVE-2023-42322 CRITICAL Act Now

Insecure Permissions vulnerability in icmsdev iCMS v.7.0.16 allows a remote attacker to obtain sensitive information. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Icms
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2023-3711 HIGH This Week

Session Fixation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Session Credential Falsification through Prediction.19.050004. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Honeywell Pm43 Firmware
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2023-41012 CRITICAL POC Act Now

An issue in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to execute arbitrary code via the authentication mechanism. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Session Fixation Intelligent Home Gateway Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2023-4649 MEDIUM POC PATCH This Month

Session Fixation in GitHub repository instantsoft/icms2 prior to 2.16.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Session Fixation Instantcms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-40273 PyPI HIGH PATCH This Week

The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Session Fixation Airflow
NVD GitHub
CVSS 3.1
8.0
EPSS
1.4%
CVE-2023-24477 MEDIUM This Month

In certain conditions, depending on timing and the usage of the Chrome web browser, Guardian/CMC versions before 22.6.2 do not always completely invalidate the user session upon logout. Rated medium severity (CVSS 5.4). No vendor patch available.

Information Disclosure Google Session Fixation Cmc Guardian
NVD
CVSS 4.0
5.4
EPSS
0.1%
CVE-2023-21239 MEDIUM PATCH This Month

In visitUris of Notification.java, there is a possible way to leak image data across user boundaries due to a confused deputy. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Session Fixation Android
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2023-21238 MEDIUM PATCH This Month

In visitUris of RemoteViews.java, there is a possible leak of images between users due to a confused deputy. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Session Fixation Android
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2023-37946 Maven HIGH PATCH This Week

Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier does not invalidate the previous session on login. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Session Fixation Information Disclosure Openshift Login
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2023-34656 HIGH POC This Week

An issue was discovered with the JSESSION IDs in Xiamen Si Xin Communication Technology Video management system 3.1 thru 4.1 allows attackers to gain escalated privileges. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Session Fixation Video Management System
NVD GitHub
CVSS 3.1
8.8
EPSS
0.7%
CVE-2023-3394 MEDIUM POC PATCH This Month

Session Fixation in GitHub repository fossbilling/fossbilling prior to 0.5.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Session Fixation Fossbilling
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2023-34156 MEDIUM This Month

Vulnerability of services denied by early fingerprint APIs on HarmonyOS products.Successful exploitation of this vulnerability may cause services to be denied. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Emui
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2023-3192 PHP MEDIUM POC PATCH This Month

Session Fixation in GitHub repository froxlor/froxlor prior to 2.1.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Session Fixation Froxlor
NVD GitHub
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-32997 Maven HIGH PATCH This Week

Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the previous session on login. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Session Fixation Information Disclosure Cas
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2023-31498 CRITICAL POC Act Now

A privilege escalation issue was found in PHP Gurukul Hospital Management System In v.4.0 allows a remote attacker to execute arbitrary code and access sensitive information via the session token. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation PHP RCE Session Fixation Hospital Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
2.1%
CVE-2023-28316 CRITICAL Act Now

A security vulnerability has been discovered in the implementation of 2FA on the rocket.chat platform, where other active sessions are not invalidated upon activating 2FA. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Rocket Chat
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2023-30056 HIGH This Week

A session takeover vulnerability exists in FICO Origination Manager Decision Module 4.8.1 due to insufficient protection of the JSESSIONID cookie. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Origination Manager Decision
NVD VulDB
CVSS 3.1
7.5
EPSS
1.0%
CVE-2023-1265 MEDIUM This Month

An issue has been discovered in GitLab affecting all versions starting from 11.9 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. Rated medium severity (CVSS 4.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Gitlab Session Fixation
NVD
CVSS 3.1
4.5
EPSS
0.8%
CVE-2023-29019 npm HIGH PATCH This Week

@fastify/passport is a port of passport authentication library for the Fastify ecosystem. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Session Fixation Passport
NVD GitHub
CVSS 3.1
8.1
EPSS
0.8%
CVE-2023-2105 PHP HIGH POC PATCH This Week

Session Fixation in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Session Fixation Easyappointments
NVD GitHub
CVSS 3.1
8.8
EPSS
0.7%
CVE-2023-26260 MEDIUM This Month

OXID eShop 6.2.x before 6.4.4 and 6.5.x before 6.5.2 allows session hijacking, leading to partial access of a customer's account by an attacker, due to an improper check of the user agent. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Oxid Eshop
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-24456 Maven CRITICAL PATCH Act Now

Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Session Fixation Information Disclosure Keycloak Authentication
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2023-24427 Maven CRITICAL PATCH Act Now

Jenkins Bitbucket OAuth Plugin 0.12 and earlier does not invalidate the previous session on login. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Session Fixation Information Disclosure Bitbucket Oauth
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2023-24424 Maven HIGH PATCH This Week

Jenkins OpenId Connect Authentication Plugin 2.4 and earlier does not invalidate the previous session on login. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Session Fixation Information Disclosure Openid Connect Authentication
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2023-22479 Go MEDIUM PATCH This Month

KubePi is a modern Kubernetes panel. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Kubernetes Information Disclosure Session Fixation Kubepi
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2022-36437 Maven CRITICAL PATCH Act Now

The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Hazelcast Hazelcast Jet
NVD GitHub
CVSS 3.1
9.1
EPSS
1.0%
CVE-2022-44017 HIGH POC This Week

An issue was discovered in Simmeth Lieferantenmanager before 5.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Session Fixation Lieferantenmanager
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2022-38628 MEDIUM POC This Month

Nortek Linear eMerge E3-Series 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e were discovered to contain a cross-site scripting (XSS) vulnerability which is chained with a. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Session Fixation Linear Emerge E3 Access Control Firmware
NVD GitHub
CVSS 3.1
6.1
EPSS
0.9%
CVE-2022-4231 PHP MEDIUM POC This Month

A vulnerability, which was classified as problematic, has been found in Tribal Systems Zenario CMS 9.3.57595. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Session Fixation Zenario
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.4%
CVE-2022-44788 MEDIUM POC This Month

An issue was discovered in Appalti & Contratti 9.12.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Session Fixation Appalti Contratti
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2022-44007 HIGH POC This Week

An issue was discovered in BACKCLICK Professional 5.9.63. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Session Fixation Backclick
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2022-30769 MEDIUM This Month

Session fixation exists in ZoneMinder through 1.36.12 as an attacker can poison a session cookie to the next logged-in user. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Zoneminder
NVD GitHub
CVSS 3.1
4.6
EPSS
0.5%
CVE-2022-43687 PHP MEDIUM PATCH This Month

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Concrete Cms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.6%
CVE-2022-31689 CRITICAL PATCH Act Now

VMware Workspace ONE Assist prior to 22.10 contains a Session fixation vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure VMware Session Fixation Workspace One Assist
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2022-43398 HIGH PATCH This Week

A vulnerability has been identified in POWER METER SICAM Q100 (All versions < V2.50), POWER METER SICAM Q100 (All versions < V2.50), POWER METER SICAM Q100 (All versions < V2.50), POWER METER SICAM. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Session Fixation 7Kg9501 0Aa01 2Aa1 Firmware 7Kg9501 0Aa31 2Aa1 Firmware
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2022-40293 CRITICAL Act Now

The application was vulnerable to a session fixation that could be used hijack accounts. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Php Point Of Sale
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2022-40226 HIGH PATCH This Week

A vulnerability has been identified in SICAM P850 (7KG8500-0AA00-0AA0) (All versions < V3.10), SICAM P850 (7KG8500-0AA00-2AA0) (All versions < V3.10), SICAM P850 (7KG8500-0AA10-0AA0) (All versions <. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Session Fixation 7Kg8500 0Aa00 0Aa0 Firmware 7Kg8500 0Aa00 2Aa0 Firmware 7Kg8500 0Aa10 0Aa0 Firmware +33
NVD
CVSS 3.1
8.1
EPSS
0.6%
CVE-2022-34334 MEDIUM PATCH This Month

IBM Sterling Partner Engagement Manager 2.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Session Fixation IBM Sterling Partner Engagement Manager
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2022-40630 CRITICAL Act Now

This vulnerability exists in Tacitine Firewall, all versions of EN6200-PRIME QUAD-35 and EN6200-PRIME QUAD-100 between 19.1.1 to 22.20.1 (inclusive), due to improper session management in the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation En6200 Prime Quad 35 Firmware En6200 Prime Quad 100 Firmware
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2022-3269 PyPI CRITICAL POC PATCH Act Now

Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Session Fixation Rdiffweb
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2022-38369 LIB HIGH PATCH This Week

Apache IoTDB version 0.13.0 is vulnerable by session id attack. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Session Fixation Iotdb
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2022-38054 PyPI CRITICAL PATCH Act Now

In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Session Fixation Airflow
NVD
CVSS 3.1
9.8
EPSS
1.9%
CVE-2022-31798 MEDIUM POC This Month

Nortek Linear eMerge E3-Series 0.32-07p devices are vulnerable to /card_scan.php?CardFormatNo= XSS with session fixation (via PHPSESSID) when they are chained together. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation XSS PHP Emerge E3 Firmware
NVD GitHub
CVSS 3.1
6.1
EPSS
6.7%
CVE-2022-2997 PHP HIGH POC PATCH This Week

Session Fixation in GitHub repository snipe/snipe-it prior to 6.0.10. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Session Fixation Snipe It
NVD GitHub
CVSS 3.1
8.0
EPSS
0.7%
CVE-2022-30605 HIGH POC This Week

A privilege escalation vulnerability exists in the session id functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Privilege Escalation Avideo
NVD GitHub
CVSS 3.1
8.8
EPSS
4.1%
CVE-2022-2820 HIGH POC PATCH This Week

Session Fixation in GitHub repository namelessmc/nameless prior to v2.0.2. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Session Fixation Nameless
NVD GitHub
CVSS 3.1
8.2
EPSS
0.6%
CVE-2022-33927 MEDIUM This Month

Dell Wyse Management Suite 3.6.1 and below contains a Session Fixation vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Dell Wyse Management Suite
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2022-22681 HIGH This Week

Session fixation vulnerability in access control management in Synology Photo Station before 6.8.16-3506 allows remote attackers to bypass security constraint via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Session Fixation Synology Photo Station
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2022-25896 npm MEDIUM PATCH This Month

This affects the package passport before 0.6.0. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required.

Session Fixation Information Disclosure Passport
NVD GitHub
CVSS 3.1
4.8
EPSS
1.0%
CVE-2022-24444 PHP MEDIUM PATCH This Month

Silverstripe silverstripe/framework through 4.10 allows Session Fixation. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Silverstripe
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2022-27305 HIGH PATCH This Week

Gibbon v23 does not generate a new session ID cookie after a user authenticates, making the application vulnerable to session fixation. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Session Fixation Gibbon
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
1.0%
CVE-2022-1849 PHP MEDIUM POC PATCH This Month

Session Fixation in GitHub repository filegator/filegator prior to 7.8.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Session Fixation Information Disclosure Filegator
NVD GitHub
CVSS 3.1
5.4
EPSS
0.7%
CVE-2022-26591 HIGH POC This Week

FANTEC GmbH MWiD25-DS Firmware v2.000.030 allows unauthenticated attackers to access and download arbitrary files via a crafted GET request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Mwid25 Ds Firmware
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2022-24781 HIGH PATCH This Week

Geon is a board game based on solving questions about the Pythagorean Theorem. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity.

Session Fixation Information Disclosure Geon
NVD GitHub
CVSS 3.1
7.1
EPSS
0.9%
CVE-2022-24745 PHP MEDIUM PATCH This Month

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

PHP Session Fixation Information Disclosure Shopware
NVD GitHub
CVSS 3.1
6.5
EPSS
0.5%
CVE-2021-20151 CRITICAL Act Now

Trendnet AC2600 TEW-827DRU version 2.08B01 contains a flaw in the session management for the device. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Tew 827Dru Firmware
NVD
CVSS 3.1
10.0
EPSS
1.6%
CVE-2021-31745 HIGH POC This Week

Session Fixation vulnerability in login.php in Pluck-CMS Pluck 4.7.15 allows an attacker to sustain unauthorized access to the platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Session Fixation Authentication Bypass Pluck
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2021-41246 npm HIGH PATCH This Week

Express OpenID Connect is express JS middleware implementing sign on for Express web apps using OpenID Connect. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Session Fixation Express Openid Connect
NVD GitHub
CVSS 3.1
8.8
EPSS
0.9%
CVE-2021-41268 PHP HIGH PATCH This Week

Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure PHP Session Fixation Symfony
NVD GitHub
CVSS 3.1
8.8
EPSS
1.3%
CVE-2021-42073 HIGH POC This Week

An issue was discovered in Barrier before 2.4.0. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Session Fixation Barrier
NVD GitHub
CVSS 3.1
8.2
EPSS
1.4%
CVE-2021-41553 CRITICAL Act Now

In ARCHIBUS Web Central 21.3.3.815 (a version from 2014), the Web Application in /archibus/login.axvw assign a session token that could be already in use by another user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Web Central
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2021-35948 MEDIUM This Month

Session fixation on password protected public links in the ownCloud Server before 10.8.0 allows an attacker to bypass the password protection when they can force a target client to use a controlled. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Authentication Bypass Owncloud
NVD
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-22237 MEDIUM This Month

Under specialized conditions, GitLab may allow a user with an impersonation token to perform Git actions even if impersonation is disabled. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Gitlab Session Fixation
NVD
CVSS 3.1
4.9
EPSS
0.8%
CVE-2021-39290 CRITICAL POC Act Now

Certain NetModule devices allow Limited Session Fixation via PHPSESSID. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Session Fixation Netmodule Router Software
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2021-22927 HIGH This Week

A session fixation vulnerability exists in Citrix ADC and Citrix Gateway 13.0-82.45 when configured SAML service provider that could allow an attacker to hijack a session. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Citrix Session Fixation Application Delivery Controller Firmware Gateway +1
NVD
CVSS 3.1
8.1
EPSS
0.8%
CVE-2021-32710 PHP HIGH PATCH This Week

Shopware is an open source eCommerce platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Session Fixation Shopware
NVD GitHub
CVSS 3.1
7.5
EPSS
0.9%
CVE-2021-35046 MEDIUM POC This Month

A session fixation vulnerability was discovered in Ice Hrm 29.0.0 OS which allows an attacker to hijack a valid user session via a crafted session cookie. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Session Fixation Icehrm
NVD GitHub
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-32676 MEDIUM This Month

Nextcloud Talk is a fully on-premises audio/video and chat communication service. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Nextcloud Session Fixation Talk
NVD GitHub
CVSS 3.1
6.5
EPSS
1.0%
CVE-2021-33394 MEDIUM POC PATCH This Month

Cubecart 6.4.2 allows Session Fixation. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Code Injection Session Fixation Cubecart
NVD GitHub
CVSS 3.1
5.4
EPSS
0.7%
CVE-2020-25198 HIGH This Week

The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower has incorrectly implemented protections from session fixation, which may allow an attacker to gain access to a. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Nport Iaw5000A I O Firmware
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2020-4555 MEDIUM PATCH This Month

IBM Financial Transaction Manager 3.0.6 and 3.1.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

IBM Session Fixation Information Disclosure Financial Transaction Manager
NVD
CVSS 3.1
5.4
EPSS
0.8%
CVE-2020-5645 HIGH This Week

Session fixation vulnerability in TCP/IP function included in the firmware of GT14 Model of GOT 1000 series (GT1455-QTBDE CoreOS version "05.65.00.BD" and earlier, GT1450-QMBDE CoreOS version. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Coreos
NVD
CVSS 3.1
7.5
EPSS
3.8%
CVE-2020-5654 HIGH This Week

Session fixation vulnerability in TCP/IP function included in the firmware of MELSEC iQ-R series (RJ71EIP91 EtherNet/IP Network Interface Module First 2 digits of serial number are '02' or before,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Melsec Iq Rj71Eip91 Firmware Melsec Iq Rj71Pn92 Firmware Melsec Iq Rd81Dl96 Firmware +2
NVD
CVSS 3.1
7.5
EPSS
2.7%
CVE-2020-15909 HIGH POC This Week

SolarWinds N-central through 2020.1 allows session hijacking and requires user interaction or physical access. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure N Central
NVD
CVSS 3.1
8.8
EPSS
2.2%
CVE-2020-10714 Maven HIGH PATCH This Week

A flaw was found in WildFly Elytron version 1.11.3.Final and before. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Session Fixation Information Disclosure Wildfly Elytron Codeready Studio Descision Manager +3
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2020-6302 HIGH This Week

SAP Commerce versions 6.7, 1808, 1811, 1905, 2005 contains the jSession ID in the backoffice URL when the application is loaded initially. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

SAP Session Fixation Information Disclosure Commerce
NVD
CVSS 3.1
8.1
EPSS
0.8%
CVE-2020-4243 LOW PATCH Monitor

IBM Security Identity Governance and Intelligence 5.2.6 Virtual Appliance could allow a remote attacker to obtain sensitive information using man in the middle techniques due to not properly. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.

IBM Session Fixation Information Disclosure Security Identity Governance And Intelligence
NVD
CVSS 3.1
3.7
EPSS
0.9%
CVE-2020-4527 MEDIUM PATCH This Month

IBM Planning Analytics 2.0 could allow a remote attacker to obtain sensitive information, caused by the failure to set the Secure flag for the session cookie in TLS mode. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

IBM Session Fixation Information Disclosure Planning Analytics
NVD
CVSS 3.1
5.9
EPSS
1.3%
CVE-2020-6290 MEDIUM This Month

SAP Disclosure Management, version 10.1, is vulnerable to Session Fixation attacks wherein the attacker tricks the user into using a specific session ID. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Session Fixation Information Disclosure Disclosure Management
NVD
CVSS 3.1
6.3
EPSS
0.6%
CVE-2020-5596 HIGH This Week

TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) does not properly manage. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Coreos
NVD
CVSS 3.1
7.5
EPSS
1.6%
CVE-2020-15018 MEDIUM POC This Month

playSMS through 1.4.3 is vulnerable to session fixation. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Playsms
NVD GitHub
CVSS 3.1
6.5
EPSS
0.9%
CVE-2020-4229 HIGH PATCH This Week

IBM Worklight/MobileFoundation 8.0.0.0 does not properly invalidate session cookies when a user logs out of a session, which could allow another user to gain unauthorized access to a user's session. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM Session Fixation Authentication Bypass Mobile Foundation
NVD
CVSS 3.1
7.3
EPSS
0.9%
CVE-2020-13229 HIGH POC This Week

An issue was discovered in Sysax Multi Server 6.90. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Multi Server
NVD GitHub
CVSS 3.1
8.8
EPSS
1.6%
CVE-2020-8434 CRITICAL Act Now

Jenzabar JICS (aka Internet Campus Solution) before 9.0.1 Patch 3, 9.1 before 9.1.2 Patch 2, and 9.2 before 9.2.2 Patch 8 has session cookies that are a deterministic function of the username. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Internet Campus Solution
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2020-12258 CRITICAL Act Now

rConfig 3.9.4 is vulnerable to session fixation because session expiry and randomization are mishandled. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Rconfig
NVD GitHub
CVSS 3.1
9.1
EPSS
1.7%
CVE-2020-1993 MEDIUM This Month

The GlobalProtect Portal feature in PAN-OS does not set a new session identifier after a successful user login, which allows session fixation attacks, if an attacker is able to control a user's. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Paloalto Session Fixation Information Disclosure Pan Os
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2020-5894 HIGH This Week

On versions 3.0.0-3.3.0, the NGINX Controller webserver does not invalidate the server-side session token after users log out. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Nginx Nginx Controller
NVD
CVSS 3.1
8.1
EPSS
1.0%
CVE-2020-12467 PHP MEDIUM POC This Month

Subrion CMS 4.2.1 allows session fixation via an alphanumeric value in a session cookie. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Subrion
NVD GitHub
CVSS 3.1
6.5
EPSS
0.9%
CVE-2020-1762 Go HIGH PATCH This Week

An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Kiali Openshift Service Mesh
NVD
CVSS 3.1
8.6
EPSS
1.1%
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

Uptime Kuma is a self-hosted monitoring tool. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Information Disclosure Session Fixation Uptime Kuma
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

Insecure Permissions vulnerability in icmsdev iCMS v.7.0.16 allows a remote attacker to obtain sensitive information. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Icms
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

Session Fixation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Session Credential Falsification through Prediction.19.050004. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Honeywell +1
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

An issue in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to execute arbitrary code via the authentication mechanism. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Session Fixation Intelligent Home Gateway Firmware
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Session Fixation in GitHub repository instantsoft/icms2 prior to 2.16.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Session Fixation Instantcms
NVD GitHub
EPSS 1% CVSS 8.0
HIGH PATCH This Week

The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Information Disclosure Session Fixation +1
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

In certain conditions, depending on timing and the usage of the Chrome web browser, Guardian/CMC versions before 22.6.2 do not always completely invalidate the user session upon logout. Rated medium severity (CVSS 5.4). No vendor patch available.

Information Disclosure Google Session Fixation +2
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In visitUris of Notification.java, there is a possible way to leak image data across user boundaries due to a confused deputy. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Session Fixation Android
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In visitUris of RemoteViews.java, there is a possible leak of images between users due to a confused deputy. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Session Fixation Android
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier does not invalidate the previous session on login. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Session Fixation Information Disclosure +1
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

An issue was discovered with the JSESSION IDs in Xiamen Si Xin Communication Technology Video management system 3.1 thru 4.1 allows attackers to gain escalated privileges. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Session Fixation Video Management System
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

Session Fixation in GitHub repository fossbilling/fossbilling prior to 0.5.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Session Fixation Fossbilling
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Vulnerability of services denied by early fingerprint APIs on HarmonyOS products.Successful exploitation of this vulnerability may cause services to be denied. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Emui
NVD
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Session Fixation in GitHub repository froxlor/froxlor prior to 2.1.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Session Fixation Froxlor
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the previous session on login. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Session Fixation Information Disclosure +1
NVD
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

A privilege escalation issue was found in PHP Gurukul Hospital Management System In v.4.0 allows a remote attacker to execute arbitrary code and access sensitive information via the session token. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation PHP RCE +2
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

A security vulnerability has been discovered in the implementation of 2FA on the rocket.chat platform, where other active sessions are not invalidated upon activating 2FA. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Rocket Chat
NVD
EPSS 1% CVSS 7.5
HIGH This Week

A session takeover vulnerability exists in FICO Origination Manager Decision Module 4.8.1 due to insufficient protection of the JSESSIONID cookie. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Origination Manager Decision
NVD VulDB
EPSS 1% CVSS 4.5
MEDIUM This Month

An issue has been discovered in GitLab affecting all versions starting from 11.9 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. Rated medium severity (CVSS 4.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Gitlab Session Fixation
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

@fastify/passport is a port of passport authentication library for the Fastify ecosystem. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Session Fixation Passport
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Session Fixation in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Session Fixation Easyappointments
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

OXID eShop 6.2.x before 6.4.4 and 6.5.x before 6.5.2 allows session hijacking, leading to partial access of a customer's account by an attacker, due to an improper check of the user agent. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Oxid Eshop
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Session Fixation Information Disclosure +1
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Jenkins Bitbucket OAuth Plugin 0.12 and earlier does not invalidate the previous session on login. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Session Fixation Information Disclosure +1
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Jenkins OpenId Connect Authentication Plugin 2.4 and earlier does not invalidate the previous session on login. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins Session Fixation Information Disclosure +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

KubePi is a modern Kubernetes panel. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Kubernetes Information Disclosure Session Fixation +1
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Hazelcast +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

An issue was discovered in Simmeth Lieferantenmanager before 5.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Session Fixation Lieferantenmanager
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

Nortek Linear eMerge E3-Series 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e were discovered to contain a cross-site scripting (XSS) vulnerability which is chained with a. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Session Fixation Linear Emerge E3 Access Control Firmware
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC This Month

A vulnerability, which was classified as problematic, has been found in Tribal Systems Zenario CMS 9.3.57595. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Session Fixation Zenario
NVD GitHub VulDB
EPSS 1% CVSS 6.5
MEDIUM POC This Month

An issue was discovered in Appalti & Contratti 9.12.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Session Fixation Appalti Contratti
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

An issue was discovered in BACKCLICK Professional 5.9.63. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Session Fixation Backclick
NVD
EPSS 0% CVSS 4.6
MEDIUM This Month

Session fixation exists in ZoneMinder through 1.36.12 as an attacker can poison a session cookie to the next logged-in user. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Zoneminder
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Concrete Cms
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

VMware Workspace ONE Assist prior to 22.10 contains a Session fixation vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure VMware Session Fixation +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

A vulnerability has been identified in POWER METER SICAM Q100 (All versions < V2.50), POWER METER SICAM Q100 (All versions < V2.50), POWER METER SICAM Q100 (All versions < V2.50), POWER METER SICAM. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Session Fixation 7Kg9501 0Aa01 2Aa1 Firmware +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

The application was vulnerable to a session fixation that could be used hijack accounts. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Php Point Of Sale
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

A vulnerability has been identified in SICAM P850 (7KG8500-0AA00-0AA0) (All versions < V3.10), SICAM P850 (7KG8500-0AA00-2AA0) (All versions < V3.10), SICAM P850 (7KG8500-0AA10-0AA0) (All versions <. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Session Fixation 7Kg8500 0Aa00 0Aa0 Firmware +35
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

IBM Sterling Partner Engagement Manager 2.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Session Fixation IBM +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

This vulnerability exists in Tacitine Firewall, all versions of EN6200-PRIME QUAD-35 and EN6200-PRIME QUAD-100 between 19.1.1 to 22.20.1 (inclusive), due to improper session management in the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation En6200 Prime Quad 35 Firmware +1
NVD
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Session Fixation Rdiffweb
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Apache IoTDB version 0.13.0 is vulnerable by session id attack. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Session Fixation +1
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Session Fixation +1
NVD
EPSS 7% CVSS 6.1
MEDIUM POC This Month

Nortek Linear eMerge E3-Series 0.32-07p devices are vulnerable to /card_scan.php?CardFormatNo= XSS with session fixation (via PHPSESSID) when they are chained together. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation XSS PHP +1
NVD GitHub
EPSS 1% CVSS 8.0
HIGH POC PATCH This Week

Session Fixation in GitHub repository snipe/snipe-it prior to 6.0.10. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Session Fixation Snipe It
NVD GitHub
EPSS 4% CVSS 8.8
HIGH POC This Week

A privilege escalation vulnerability exists in the session id functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Privilege Escalation Avideo
NVD GitHub
EPSS 1% CVSS 8.2
HIGH POC PATCH This Week

Session Fixation in GitHub repository namelessmc/nameless prior to v2.0.2. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Session Fixation Nameless
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Dell Wyse Management Suite 3.6.1 and below contains a Session Fixation vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Dell +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Session fixation vulnerability in access control management in Synology Photo Station before 6.8.16-3506 allows remote attackers to bypass security constraint via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Session Fixation Synology +1
NVD
EPSS 1% CVSS 4.8
MEDIUM PATCH This Month

This affects the package passport before 0.6.0. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required.

Session Fixation Information Disclosure Passport
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Silverstripe silverstripe/framework through 4.10 allows Session Fixation. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Silverstripe
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Gibbon v23 does not generate a new session ID cookie after a user authenticates, making the application vulnerable to session fixation. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Session Fixation Gibbon
NVD GitHub VulDB
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

Session Fixation in GitHub repository filegator/filegator prior to 7.8.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Session Fixation Information Disclosure Filegator
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

FANTEC GmbH MWiD25-DS Firmware v2.000.030 allows unauthenticated attackers to access and download arbitrary files via a crafted GET request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Mwid25 Ds Firmware
NVD
EPSS 1% CVSS 7.1
HIGH PATCH This Week

Geon is a board game based on solving questions about the Pythagorean Theorem. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity.

Session Fixation Information Disclosure Geon
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

PHP Session Fixation Information Disclosure +1
NVD GitHub
EPSS 2% CVSS 10.0
CRITICAL Act Now

Trendnet AC2600 TEW-827DRU version 2.08B01 contains a flaw in the session management for the device. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Tew 827Dru Firmware
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

Session Fixation vulnerability in login.php in Pluck-CMS Pluck 4.7.15 allows an attacker to sustain unauthorized access to the platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Session Fixation Authentication Bypass +1
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Express OpenID Connect is express JS middleware implementing sign on for Express web apps using OpenID Connect. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Session Fixation Express Openid Connect
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure PHP Session Fixation +1
NVD GitHub
EPSS 1% CVSS 8.2
HIGH POC This Week

An issue was discovered in Barrier before 2.4.0. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Session Fixation Barrier
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

In ARCHIBUS Web Central 21.3.3.815 (a version from 2014), the Web Application in /archibus/login.axvw assign a session token that could be already in use by another user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Web Central
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

Session fixation on password protected public links in the ownCloud Server before 10.8.0 allows an attacker to bypass the password protection when they can force a target client to use a controlled. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Authentication Bypass Owncloud
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Under specialized conditions, GitLab may allow a user with an impersonation token to perform Git actions even if impersonation is disabled. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Gitlab Session Fixation
NVD
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

Certain NetModule devices allow Limited Session Fixation via PHPSESSID. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Session Fixation Netmodule Router Software
NVD
EPSS 1% CVSS 8.1
HIGH This Week

A session fixation vulnerability exists in Citrix ADC and Citrix Gateway 13.0-82.45 when configured SAML service provider that could allow an attacker to hijack a session. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Citrix Session Fixation +3
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Shopware is an open source eCommerce platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Session Fixation Shopware
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC This Month

A session fixation vulnerability was discovered in Ice Hrm 29.0.0 OS which allows an attacker to hijack a valid user session via a crafted session cookie. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Session Fixation Icehrm
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM This Month

Nextcloud Talk is a fully on-premises audio/video and chat communication service. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Nextcloud Session Fixation +1
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

Cubecart 6.4.2 allows Session Fixation. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Code Injection Session Fixation Cubecart
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower has incorrectly implemented protections from session fixation, which may allow an attacker to gain access to a. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Nport Iaw5000A I O Firmware
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

IBM Financial Transaction Manager 3.0.6 and 3.1.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

IBM Session Fixation Information Disclosure +1
NVD
EPSS 4% CVSS 7.5
HIGH This Week

Session fixation vulnerability in TCP/IP function included in the firmware of GT14 Model of GOT 1000 series (GT1455-QTBDE CoreOS version "05.65.00.BD" and earlier, GT1450-QMBDE CoreOS version. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Coreos
NVD
EPSS 3% CVSS 7.5
HIGH This Week

Session fixation vulnerability in TCP/IP function included in the firmware of MELSEC iQ-R series (RJ71EIP91 EtherNet/IP Network Interface Module First 2 digits of serial number are '02' or before,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Melsec Iq Rj71Eip91 Firmware +4
NVD
EPSS 2% CVSS 8.8
HIGH POC This Week

SolarWinds N-central through 2020.1 allows session hijacking and requires user interaction or physical access. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure N Central
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A flaw was found in WildFly Elytron version 1.11.3.Final and before. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Session Fixation Information Disclosure Wildfly Elytron +5
NVD
EPSS 1% CVSS 8.1
HIGH This Week

SAP Commerce versions 6.7, 1808, 1811, 1905, 2005 contains the jSession ID in the backoffice URL when the application is loaded initially. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

SAP Session Fixation Information Disclosure +1
NVD
EPSS 1% CVSS 3.7
LOW PATCH Monitor

IBM Security Identity Governance and Intelligence 5.2.6 Virtual Appliance could allow a remote attacker to obtain sensitive information using man in the middle techniques due to not properly. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.

IBM Session Fixation Information Disclosure +1
NVD
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

IBM Planning Analytics 2.0 could allow a remote attacker to obtain sensitive information, caused by the failure to set the Secure flag for the session cookie in TLS mode. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

IBM Session Fixation Information Disclosure +1
NVD
EPSS 1% CVSS 6.3
MEDIUM This Month

SAP Disclosure Management, version 10.1, is vulnerable to Session Fixation attacks wherein the attacker tricks the user into using a specific session ID. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Session Fixation Information Disclosure +1
NVD
EPSS 2% CVSS 7.5
HIGH This Week

TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) does not properly manage. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Coreos
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

playSMS through 1.4.3 is vulnerable to session fixation. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Playsms
NVD GitHub
EPSS 1% CVSS 7.3
HIGH PATCH This Week

IBM Worklight/MobileFoundation 8.0.0.0 does not properly invalidate session cookies when a user logs out of a session, which could allow another user to gain unauthorized access to a user's session. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM Session Fixation Authentication Bypass +1
NVD
EPSS 2% CVSS 8.8
HIGH POC This Week

An issue was discovered in Sysax Multi Server 6.90. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Multi Server
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

Jenzabar JICS (aka Internet Campus Solution) before 9.0.1 Patch 3, 9.1 before 9.1.2 Patch 2, and 9.2 before 9.2.2 Patch 8 has session cookies that are a deterministic function of the username. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Internet Campus Solution
NVD
EPSS 2% CVSS 9.1
CRITICAL Act Now

rConfig 3.9.4 is vulnerable to session fixation because session expiry and randomization are mishandled. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Rconfig
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

The GlobalProtect Portal feature in PAN-OS does not set a new session identifier after a successful user login, which allows session fixation attacks, if an attacker is able to control a user's. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Paloalto Session Fixation Information Disclosure +1
NVD
EPSS 1% CVSS 8.1
HIGH This Week

On versions 3.0.0-3.3.0, the NGINX Controller webserver does not invalidate the server-side session token after users log out. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Session Fixation Nginx +1
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

Subrion CMS 4.2.1 allows session fixation via an alphanumeric value in a session cookie. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Subrion
NVD GitHub
EPSS 1% CVSS 8.6
HIGH PATCH This Week

An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Kiali +1
NVD
Prev Page 2 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy