Skip to main content

Session Fixation

295 CVEs product

Monthly

CVE-2020-6824 LOW Monitor

Initially, a user opens a Private Browsing Window and generates a password for a site, then closes the Private Browsing Window but leaves Firefox open. Rated low severity (CVSS 2.8), this vulnerability is low attack complexity. No vendor patch available.

Mozilla Session Fixation Information Disclosure Firefox
NVD
CVSS 3.1
2.8
EPSS
0.3%
CVE-2020-11729 CRITICAL POC Act Now

An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Andrew S Web Libraries Debian Linux
NVD
CVSS 3.1
9.8
EPSS
1.9%
CVE-2020-11728 HIGH This Week

An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Andrew S Web Libraries Debian Linux
NVD
CVSS 3.1
7.5
EPSS
1.6%
CVE-2020-8826 HIGH POC This Week

As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Argo Cd
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
CVE-2020-4291 MEDIUM PATCH This Month

IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could disclose sensitive information to an unauthorized user due to insufficient timeout functionality in the Web. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM Session Fixation Information Disclosure Security Information Queue
NVD
CVSS 3.1
4.3
EPSS
1.2%
CVE-2020-5550 HIGH This Week

Session fixation vulnerability in EasyBlocks IPv6 Ver. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Easyblocks Ipv6 Firmware Easyblocks Ipv6 Enterprise Firmware
NVD
CVSS 3.1
8.1
EPSS
1.9%
CVE-2020-5290 MEDIUM POC This Month

In RedpwnCTF before version 2.3, there is a session fixation vulnerability in exploitable through the `#token=$ssid` hash when making a request to the `/verify` endpoint. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Session Fixation Rctf
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
CVE-2020-5543 CRITICAL PATCH Act Now

TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier does not properly manage sessions, which allows remote attackers to stop. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Information Disclosure Iu1 1M20 D Firmware
NVD
CVSS 3.1
9.8
EPSS
2.1%
CVE-2020-9370 CRITICAL Act Now

HUMAX HGA12R-02 BRGCAA 1.1.53 devices allow Session Hijacking. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Hga12R 02 Firmware
NVD
CVSS 3.1
9.1
EPSS
1.2%
CVE-2020-8990 CRITICAL PATCH Act Now

Western Digital My Cloud Home before 3.6.0 and ibi before 3.6.0 allow Session Fixation. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Information Disclosure Ibi My Cloud Home
NVD
CVSS 3.1
9.1
EPSS
1.0%
CVE-2020-5205 MEDIUM PATCH This Month

In Pow (Hex package) before 1.0.16, the use of Plug.Session in Pow.Plug.Session is susceptible to session fixation attacks if a persistent session store is used for Plug.Session, such as Redis or a. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Redis Session Fixation Information Disclosure Pow
NVD GitHub
CVSS 3.1
5.4
EPSS
0.8%
CVE-2019-17563 Maven HIGH PATCH This Week

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required.

Session Fixation Tomcat Information Disclosure Apache Debian Linux +9
NVD
CVSS 3.1
7.5
EPSS
10.7%
CVE-2019-8116 HIGH PATCH This Week

Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Information Disclosure Adobe Magento
NVD
CVSS 3.1
7.5
EPSS
1.9%
CVE-2019-17062 HIGH This Week

An issue was discovered in OXID eShop 6.x before 6.0.6 and 6.1.x before 6.1.5, OXID eShop Enterprise Edition Version 5.2.x-5.3.x, OXID eShop Professional Edition Version 4.9.x-4.10.x and OXID eShop. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Session Fixation Eshop
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2019-18418 CRITICAL POC Act Now

clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests because there is no session management. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Session Fixation Information Disclosure Clonos
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
4.0%
CVE-2019-15849 HIGH POC This Week

eQ-3 HomeMatic CCU3 firmware 3.41.11 allows session fixation. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Homematic Ccu3 Firmware
NVD
CVSS 3.1
7.3
EPSS
0.8%
CVE-2019-0062 HIGH This Week

A session fixation vulnerability in J-Web on Junos OS may allow an attacker to use social engineering techniques to fix and hijack a J-Web administrators web session and potentially gain. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Juniper Session Fixation Information Disclosure Junos
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2019-4227 HIGH This Week

IBM MQ 8.0.0.4 - 8.0.0.12, 9.0.0.0 - 9.0.0.6, 9.1.0.0 - 9.1.0.2, and 9.1.0 - 9.1.2 AMQP Listeners could allow an unauthorized user to conduct a session fixation attack due to clients not being. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Session Fixation IBM Mq
NVD
CVSS 3.1
7.3
EPSS
1.2%
CVE-2019-4304 MEDIUM This Month

IBM WebSphere Application Server - Liberty could allow a remote attacker to bypass security restrictions caused by improper session validation. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Session Fixation IBM Websphere Application Server
NVD
CVSS 3.1
6.3
EPSS
1.0%
CVE-2019-6161 HIGH This Week

An internal product security audit discovered a session handling vulnerability in the web interface of ThinkAgile CP-SB (Storage Block) BMC in firmware versions prior to 1908.M. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Session Fixation Cp Storage Block Firmware
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2019-12203 PHP MEDIUM PATCH This Month

SilverStripe through 4.3.3 allows session fixation in the "change password" form. Rated medium severity (CVSS 6.3), this vulnerability is no authentication required. No vendor patch available.

Session Fixation Information Disclosure Silverstripe
NVD
CVSS 3.1
6.3
EPSS
0.4%
CVE-2019-13517 HIGH This Week

In Pyxis ES Versions 1.3.4 through to 1.6.1 and Pyxis Enterprise Server, with Windows Server Versions 4.4 through 4.12, a vulnerability has been identified where existing access privileges are not. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Microsoft Information Disclosure Pyxis Enterprise Server Pyxis Es
NVD
CVSS 3.0
8.8
EPSS
1.3%
CVE-2019-12258 HIGH POC THREAT This Week

Wind River VxWorks 6.6 through vx7 has Session Fixation in the TCP component. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Vxworks Sonicos Siprotec 5 Firmware +9
NVD GitHub
CVSS 3.1
7.5
EPSS
23.4%
CVE-2019-5406 HIGH This Week

A remote session reuse vulnerability was discovered in HPE 3PAR StoreServ Management and Core Software Media version(s): prior to 3.5.0.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure 3Par Storeserv Management Console
NVD
CVSS 3.0
7.2
EPSS
1.4%
CVE-2019-5400 MEDIUM This Month

A remote session reuse vulnerability was discovered in HPE 3PAR Service Processor version(s): prior to 5.0.5.1. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure 3Par Service Processor Firmware
NVD
CVSS 3.0
6.3
EPSS
0.9%
CVE-2019-10371 Maven HIGH PATCH This Week

A session fixation vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows unauthorized attackers to impersonate another user if they can control the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Gitlab Jenkins Authentication Bypass Session Fixation +1
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2019-7849 PHP HIGH PATCH This Week

A defense-in-depth check was added to mitigate inadequate session validation handling by 3rd party checkout modules. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Adobe Magento
NVD
CVSS 3.0
7.5
EPSS
1.2%
CVE-2019-4439 MEDIUM PATCH This Month

IBM Cloud Private 3.1.0, 3.1.1, and 3.1.2 does not invalidate session after logout which could allow a local user to impersonate another user on the system. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity.

Session Fixation IBM Information Disclosure Cloud Private
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2019-10120 HIGH This Week

On eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.16, automatic login configuration (aka setAutoLogin) can be achieved by continuing to use a session ID after a logout, aka. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Ccu3 Firmware Ccu2 Firmware
NVD
CVSS 3.0
8.8
EPSS
1.3%
CVE-2019-4152 MEDIUM PATCH This Month

IBM Security Access Manager 9.0.1 through 9.0.6 does not invalidate session tokens in a timely manner. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity.

Session Fixation IBM Information Disclosure Security Access Manager
NVD
CVSS 3.1
4.4
EPSS
0.3%
CVE-2019-6584 HIGH PATCH This Week

A vulnerability has been identified in SIEMENS LOGO!8 (6ED1052-xyyxx-0BA8 FS:01 to FS:06 / Firmware version V1.80.xx and V1.81.xx), SIEMENS LOGO!8 (6ED1052-xyy08-0BA0 FS:01 / Firmware version <. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Siemens Information Disclosure Logo 8 Firmware
NVD
CVSS 3.1
8.8
EPSS
1.3%
CVE-2019-10045 MEDIUM POC This Month

The "action" get_sess_id in the web application of Pydio through 8.2.2 discloses the session cookie value in the response body, enabling scripts to get access to its value. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Pydio
NVD
CVSS 3.0
6.5
EPSS
1.0%
CVE-2019-1807 HIGH This Week

A vulnerability in the session management functionality of the web UI for the Cisco Umbrella Dashboard could allow an authenticated, remote attacker to access the Dashboard via an active, user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Cisco Information Disclosure Umbrella
NVD
CVSS 3.0
8.8
EPSS
1.5%
CVE-2019-10008 HIGH POC THREAT This Week

Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Session Fixation Zoho Servicedesk Plus
NVD Exploit-DB
CVSS 3.0
8.8
EPSS
19.7%
CVE-2019-11213 HIGH This Week

In Pulse Secure Pulse Desktop Client and Network Connect, an attacker could access session tokens to replay and spoof sessions, and as a result, gain unauthorized access as an end user, a related. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Ivanti Session Fixation Connect Secure Pulse Connect Secure +1
NVD
CVSS 3.0
8.1
EPSS
2.8%
CVE-2019-5523 CRITICAL Act Now

VMware vCloud Director for Service Providers 9.5.x prior to 9.5.0.3 update resolves a Remote Session Hijack vulnerability in the Tenant and Provider Portals. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation VMware Information Disclosure Vcloud Director
NVD
CVSS 3.0
9.8
EPSS
3.3%
CVE-2019-9744 HIGH This Week

An issue was discovered on PHOENIX CONTACT FL NAT SMCS 8TX, FL NAT SMN 8TX, FL NAT SMN 8TX-M, and FL NAT SMN 8TX-M-DMG devices. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Session Fixation Fl Nat Smn 8Tx M Dmg Firmware Fl Nat Smn 8Tx M Firmware Fl Nat Smn 8Tx Firmware +1
NVD
CVSS 3.0
8.8
EPSS
1.6%
CVE-2019-3784 MEDIUM This Month

Cloud Foundry Stratos, versions prior to 2.3.0, contains an insecure session that can be spoofed. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Stratos
NVD
CVSS 3.0
6.5
EPSS
1.1%
CVE-2019-3783 HIGH This Week

Cloud Foundry Stratos, versions prior to 2.3.0, deploys with a public default session store secret. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Stratos
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2019-0102 HIGH This Week

Insufficient session authentication in web server for Intel(R) Data Center Manager SDK before version 5.0.2 may allow an unauthenticated user to potentially enable escalation of privilege via network. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Session Fixation Intel Data Center Manager
NVD
CVSS 3.0
8.8
EPSS
1.3%
CVE-2019-7747 CRITICAL POC Act Now

DbNinja 3.2.7 allows session fixation via the data.php sessid parameter. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Session Fixation Information Disclosure Dbninja
NVD GitHub
CVSS 3.0
9.6
EPSS
1.4%
CVE-2019-1003019 Maven MEDIUM PATCH This Month

An session fixation vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm.java that allows unauthorized attackers to impersonate another user if they. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Java Session Fixation Jenkins Github Oauth
NVD
CVSS 3.0
5.9
EPSS
0.9%
CVE-2019-7350 HIGH POC This Week

Session fixation exists in ZoneMinder through 1.32.3, as an attacker can fixate his own session cookies to the next logged-in user, thereby hijacking the victim's account. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Zoneminder
NVD GitHub
CVSS 3.0
7.3
EPSS
1.0%
CVE-2018-1804 LOW PATCH Monitor

IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4.0, and 9.0.5.0 does not set the secure attribute on authorization tokens or session cookies. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.

Session Fixation IBM Information Disclosure Security Access Manager
NVD
CVSS 3.0
3.7
EPSS
0.9%
CVE-2018-1485 MEDIUM This Month

IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation IBM Information Disclosure Bigfix Platform
NVD
CVSS 3.0
4.3
EPSS
1.0%
CVE-2018-1484 LOW Monitor

IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 does not set the secure attribute on authorization tokens or session cookies. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Session Fixation IBM Information Disclosure Bigfix Platform
NVD
CVSS 3.0
3.7
EPSS
1.0%
CVE-2018-1480 MEDIUM This Month

IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 does not set the 'HttpOnly' attribute on authorization tokens or session cookies. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation XSS IBM Bigfix Platform
NVD
CVSS 3.0
5.3
EPSS
1.1%
CVE-2018-13337 MEDIUM POC This Month

Session Fixation in the web application for TerraMaster TOS version 3.1.03 allows attackers to control users' session cookies via JavaScript. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Terramaster Operating System
NVD
CVSS 3.0
5.4
EPSS
1.2%
CVE-2018-19443 PyPI MEDIUM PATCH This Month

The client in Tryton 5.x before 5.0.1 tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Session Fixation Information Disclosure Tryton
NVD
CVSS 3.0
5.9
EPSS
0.9%
CVE-2018-6434 HIGH This Week

A vulnerability in the web management interface of Brocade Fabric OS versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow attackers to intercept or manipulate a user's session ID. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Fabric Operating System
NVD
CVSS 3.0
7.5
EPSS
1.2%
CVE-2018-18926 Go CRITICAL PATCH Act Now

Gitea before 1.5.4 allows remote code execution because it does not properly validate session IDs. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation RCE Gitea
NVD GitHub
CVSS 3.0
9.8
EPSS
3.0%
CVE-2018-18925 CRITICAL POC PATCH THREAT Act Now

Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation RCE Gogs
NVD GitHub
CVSS 3.0
9.8
EPSS
31.9%
CVE-2018-13282 MEDIUM This Month

Session fixation vulnerability in SYNO.PhotoStation.Auth in Synology Photo Station before 6.8.7-3481 allows remote attackers to hijack web sessions via the PHPSESSID parameter. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Synology Photo Station
NVD
CVSS 3.0
6.3
EPSS
1.0%
CVE-2018-16463 LOW Monitor

A bug causing session fixation in Nextcloud Server prior to 14.0.0, 13.0.3 and 12.0.8 could potentially allow an attacker to obtain access to password protected shares. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

Nextcloud Session Fixation Information Disclosure Nextcloud Server
NVD
CVSS 3.0
3.1
EPSS
0.5%
CVE-2018-18380 MEDIUM PATCH This Month

A Session Fixation issue was discovered in Bigtree before 4.2.24. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Information Disclosure PHP Bigtree Cms
NVD GitHub
CVSS 3.0
5.4
EPSS
1.1%
CVE-2018-17902 MEDIUM This Month

Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The application utilizes multiple methods of session management which could result in a denial of service to. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Denial Of Service Fcj Firmware Fcn 100 Firmware Fcn Rtu Firmware +1
NVD
CVSS 3.0
5.3
EPSS
1.1%
CVE-2018-9082 HIGH This Week

For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the password changing functionality available to authenticated users does not require the user's current password to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Lenovo Session Fixation Information Disclosure Storcenter Px12 450R Firmware Storcenter Px12 400R Firmware +18
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2018-8852 HIGH This Week

Philips e-Alert Unit (non-medical device), Version R2.1 and prior. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure E Alert Firmware
NVD
CVSS 3.0
8.8
EPSS
1.9%
CVE-2018-5385 HIGH POC This Week

Navarino Infinity is prone to session fixation attacks. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Authentication Bypass Infinity
NVD
CVSS 3.0
8.8
EPSS
4.2%
CVE-2018-14387 HIGH POC This Week

An issue was discovered in WonderCMS before 2.5.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Wondercms
NVD GitHub
CVSS 3.0
8.8
EPSS
1.6%
CVE-2018-1492 MEDIUM This Month

IBM Jazz Foundation products could allow a user with physical access to the system to log in as another user due to the server's failure to properly log out from the previous session. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Session Fixation IBM Information Disclosure Rational Collaborative Lifecycle Management Rational Team Concert +5
NVD
CVSS 3.0
6.8
EPSS
0.4%
CVE-2018-1000602 Maven MEDIUM PATCH This Month

A session fixation vulnerability exists in Jenkins SAML Plugin 1.0.6 and earlier in SamlSecurityRealm.java that allows unauthorized attackers to impersonate another users if they can control the. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Java Session Fixation Jenkins Authentication Bypass Saml
NVD
CVSS 3.0
5.9
EPSS
0.9%
CVE-2018-1000519 PyPI MEDIUM POC PATCH This Month

aio-libs aiohttp-session contains a Session Fixation vulnerability in load_session function for RedisStorage (see:. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Aiohttp Session
NVD GitHub
CVSS 3.1
6.5
EPSS
1.2%
CVE-2018-0359 MEDIUM This Month

A vulnerability in the session identification management functionality of the web-based management interface for Cisco Meeting Server could allow an unauthenticated, local attacker to hijack a valid. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Cisco Meeting Server
NVD
CVSS 3.0
5.5
EPSS
0.4%
CVE-2018-9026 HIGH This Week

A session fixation vulnerability in CA Privileged Access Manager 2.x allows remote attackers to hijack user sessions with a specially crafted request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Privileged Access Manager
NVD
CVSS 3.0
7.5
EPSS
1.3%
CVE-2018-12071 PHP CRITICAL PATCH Act Now

A Session Fixation issue exists in CodeIgniter before 3.1.9 because session.use_strict_mode in the Session Library was mishandled. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Codeigniter
NVD GitHub
CVSS 3.0
9.8
EPSS
1.3%
CVE-2018-11385 PHP HIGH PATCH This Week

An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Session Fixation Information Disclosure Symfony Debian Linux Fedora
NVD
CVSS 3.0
8.1
EPSS
2.0%
CVE-2018-11714 CRITICAL POC THREAT Act Now

An issue was discovered on TP-Link TL-WR840N v5 00000005 0.9.1 3.16 v0001.0 Build 170608 Rel.58696n and TL-WR841N v13 00000013 0.9.1 4.16 v0001.0 Build 170622 Rel.64334n devices. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure TP-Link Tl Wr840N Firmware Tl Wr841n Firmware
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
36.5%
CVE-2018-11571 HIGH This Week

ClipperCMS 1.3.3 allows Session Fixation. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Clippercms
NVD GitHub
CVSS 3.0
8.8
EPSS
1.3%
CVE-2018-11567 LOW POC Monitor

Prior to 2018-04-27, the reprompt feature in Amazon Echo devices could be misused by a custom Alexa skill. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Echo Show Firmware Echo Plus Firmware Echo Dot Firmware +2
NVD
CVSS 3.0
3.3
EPSS
1.1%
CVE-2018-1375 HIGH PATCH This Week

IBM Security Guardium Big Data Intelligence (SonarG) 3.1 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation IBM Information Disclosure Security Guardium Big Data Intelligence
NVD
CVSS 3.0
7.5
EPSS
2.0%
CVE-2018-11475 HIGH This Week

Monstra CMS 3.0.4 has a Session Management Issue in the Users tab. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Monstra
NVD GitHub
CVSS 3.0
8.0
EPSS
1.1%
CVE-2018-11474 HIGH This Week

Monstra CMS 3.0.4 has a Session Management Issue in the Administrations Tab. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure PHP Monstra
NVD GitHub
CVSS 3.0
8.0
EPSS
1.1%
CVE-2018-1148 MEDIUM This Month

In Nessus before 7.1.0, Session Fixation exists due to insufficient session management within the application. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Nessus
NVD
CVSS 3.0
6.5
EPSS
0.8%
CVE-2018-10252 HIGH This Week

An issue was discovered on Actiontec WCB6200Q before 1.1.10.20a devices. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Session Fixation Information Disclosure Wcb6200Q Firmware
NVD
CVSS 3.0
8.1
EPSS
0.9%
CVE-2018-1000173 Maven MEDIUM PATCH This Month

A session fixaction vulnerability exists in Jenkins Google Login Plugin 1.3 and older in GoogleOAuth2SecurityRealm.java that allows unauthorized attackers to impersonate another user if they can. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Session Fixation Jenkins Java Google Authentication Bypass +1
NVD
CVSS 3.0
5.9
EPSS
1.6%
CVE-2018-0564 HIGH This Week

Session fixation vulnerability in EC-CUBE (EC-CUBE 3.0.0, EC-CUBE 3.0.1, EC-CUBE 3.0.2, EC-CUBE 3.0.3, EC-CUBE 3..4, EC-CUBE 3.0.5, EC-CUBE 3.0.6, EC-CUBE 3.0.7, EC-CUBE 3.0.8, EC-CUBE 3.0.9, EC-CUBE. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Ec Cube
NVD
CVSS 3.0
8.1
EPSS
1.5%
CVE-2018-0229 MEDIUM This Month

A vulnerability in the implementation of Security Assertion Markup Language (SAML) Single Sign-On (SSO) authentication for Cisco AnyConnect Secure Mobility Client for Desktop Platforms, Cisco. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Denial Of Service Cisco Anyconnect Secure Mobility Client Adaptive Security Appliance Software
NVD
CVSS 3.0
6.5
EPSS
3.6%
CVE-2018-6959 CRITICAL Act Now

VMware vRealize Automation (vRA) prior to 7.4.0 contains a vulnerability in the handling of session IDs. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure VMware Vrealize Automation
NVD
CVSS 3.0
9.8
EPSS
2.1%
CVE-2018-2409 HIGH This Week

Improper session management when using SAP Cloud Platform 2.0 (Connectivity Service and Cloud Connector). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure SAP Cloud Platform
NVD
CVSS 3.0
8.8
EPSS
1.3%
CVE-2018-2408 HIGH This Week

Improper Session Management in SAP Business Objects, 4.0, from 4.10, from 4.20, 4.30, CMC/BI Launchpad/Fiorified BI Launchpad. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure SAP Businessobjects
NVD
CVSS 3.0
7.3
EPSS
1.6%
CVE-2018-5465 HIGH This Week

A Session Fixation issue was discovered in Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic Platform Switches. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Hirschmann Rs20 0900Mmm2Tdau Hirschmann Rs20 0900Nnm4Tdau Hirschmann Rs20 0900Vvm2Tdau +131
NVD
CVSS 3.0
8.8
EPSS
1.8%
CVE-2017-1270 LOW Monitor

IBM Security Guardium 10.0 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Session Fixation IBM Information Disclosure Security Guardium
NVD
CVSS 3.0
3.3
EPSS
0.1%
CVE-2017-11562 HIGH This Week

A Session Fixation Vulnerability exists in the MT4 Networks SenhaSegura Web Application 2.2.23.8 via login_if.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation PHP Information Disclosure Senhasegura
NVD
CVSS 3.0
8.8
EPSS
0.3%
CVE-2017-10890 MEDIUM This Month

Session management issue in RX-V200 firmware versions prior to 09.87.17.09, RX-V100 firmware versions prior to 03.29.17.09, RX-CLV1-P firmware versions prior to 79.17.17.09, RX-CLV2-B firmware. Rated medium severity (CVSS 4.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Rx V200 Firmware Rx V100 Firmware Rx Clv1 P Firmware +2
NVD
CVSS 3.0
4.6
EPSS
0.1%
CVE-2017-1000150 HIGH PATCH This Week

Mahara 15.04 before 15.04.7 and 15.10 before 15.10.3 are vulnerable to prevent session IDs from being regenerated on login or logout. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Session Fixation Information Disclosure Mahara
NVD
CVSS 3.0
8.8
EPSS
0.2%
CVE-2017-14163 HIGH PATCH This Week

An issue was discovered in Mahara before 15.04.14, 16.x before 16.04.8, 16.10.x before 16.10.5, and 17.x before 17.04.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Session Fixation Information Disclosure Mahara
NVD
CVSS 3.0
8.8
EPSS
0.2%
CVE-2017-15304 CRITICAL Act Now

/bin/login.php in the Web Panel on the Airtame HDMI dongle with firmware before 3.0 allows an attacker to set his own session id via a "Cookie: PHPSESSID=" header. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation PHP Information Disclosure Hdmi Dongle Firmware
NVD
CVSS 3.0
9.8
EPSS
0.3%
CVE-2017-11191 HIGH This Week

FreeIPA 4.x with API version 2.213 allows a remote authenticated users to bypass intended account-locking restrictions via an unlock action with an old session ID (for the same user account) that had. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Authentication Bypass Freeipa
NVD
CVSS 3.0
8.8
EPSS
0.1%
CVE-2017-14263 HIGH Act Now

Honeywell NVR devices allow remote attackers to create a user account in the admin group by leveraging access to a guest account to obtain a session ID, and then sending that session ID in a. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 24.4% and no vendor patch available.

Session Fixation Honeywell Information Disclosure Enterprise Dvr Firmware Maxpro Nvr Hybrid Se Firmware +5
NVD GitHub
CVSS 3.0
8.1
EPSS
24.4%
EPSS 0% CVSS 2.8
LOW Monitor

Initially, a user opens a Private Browsing Window and generates a password for a site, then closes the Private Browsing Window but leaves Firefox open. Rated low severity (CVSS 2.8), this vulnerability is low attack complexity. No vendor patch available.

Mozilla Session Fixation Information Disclosure +1
NVD
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Andrew S Web Libraries +1
NVD
EPSS 2% CVSS 7.5
HIGH This Week

An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Andrew S Web Libraries +1
NVD
EPSS 2% CVSS 7.5
HIGH POC This Week

As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Argo Cd
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 could disclose sensitive information to an unauthorized user due to insufficient timeout functionality in the Web. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM Session Fixation Information Disclosure +1
NVD
EPSS 2% CVSS 8.1
HIGH This Week

Session fixation vulnerability in EasyBlocks IPv6 Ver. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Easyblocks Ipv6 Firmware +1
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

In RedpwnCTF before version 2.3, there is a session fixation vulnerability in exploitable through the `#token=$ssid` hash when making a request to the `/verify` endpoint. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Session Fixation Rctf
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier does not properly manage sessions, which allows remote attackers to stop. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Information Disclosure Iu1 1M20 D Firmware
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

HUMAX HGA12R-02 BRGCAA 1.1.53 devices allow Session Hijacking. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Hga12R 02 Firmware
NVD
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

Western Digital My Cloud Home before 3.6.0 and ibi before 3.6.0 allow Session Fixation. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Information Disclosure Ibi +1
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

In Pow (Hex package) before 1.0.16, the use of Plug.Session in Pow.Plug.Session is susceptible to session fixation attacks if a persistent session store is used for Plug.Session, such as Redis or a. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Redis Session Fixation Information Disclosure +1
NVD GitHub
EPSS 11% CVSS 7.5
HIGH PATCH This Week

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required.

Session Fixation Tomcat Information Disclosure +11
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Information Disclosure Adobe +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

An issue was discovered in OXID eShop 6.x before 6.0.6 and 6.1.x before 6.1.5, OXID eShop Enterprise Edition Version 5.2.x-5.3.x, OXID eShop Professional Edition Version 4.9.x-4.10.x and OXID eShop. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Session Fixation Eshop
NVD
EPSS 4% CVSS 9.8
CRITICAL POC Act Now

clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests because there is no session management. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Session Fixation Information Disclosure +1
NVD GitHub Exploit-DB
EPSS 1% CVSS 7.3
HIGH POC This Week

eQ-3 HomeMatic CCU3 firmware 3.41.11 allows session fixation. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Homematic Ccu3 Firmware
NVD
EPSS 1% CVSS 8.8
HIGH This Week

A session fixation vulnerability in J-Web on Junos OS may allow an attacker to use social engineering techniques to fix and hijack a J-Web administrators web session and potentially gain. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Juniper Session Fixation Information Disclosure +1
NVD
EPSS 1% CVSS 7.3
HIGH This Week

IBM MQ 8.0.0.4 - 8.0.0.12, 9.0.0.0 - 9.0.0.6, 9.1.0.0 - 9.1.0.2, and 9.1.0 - 9.1.2 AMQP Listeners could allow an unauthorized user to conduct a session fixation attack due to clients not being. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Session Fixation IBM +1
NVD
EPSS 1% CVSS 6.3
MEDIUM This Month

IBM WebSphere Application Server - Liberty could allow a remote attacker to bypass security restrictions caused by improper session validation. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Session Fixation IBM +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An internal product security audit discovered a session handling vulnerability in the web interface of ThinkAgile CP-SB (Storage Block) BMC in firmware versions prior to 1908.M. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Session Fixation Cp Storage Block Firmware
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

SilverStripe through 4.3.3 allows session fixation in the "change password" form. Rated medium severity (CVSS 6.3), this vulnerability is no authentication required. No vendor patch available.

Session Fixation Information Disclosure Silverstripe
NVD
EPSS 1% CVSS 8.8
HIGH This Week

In Pyxis ES Versions 1.3.4 through to 1.6.1 and Pyxis Enterprise Server, with Windows Server Versions 4.4 through 4.12, a vulnerability has been identified where existing access privileges are not. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Microsoft Information Disclosure +2
NVD
EPSS 23% CVSS 7.5
HIGH POC THREAT This Week

Wind River VxWorks 6.6 through vx7 has Session Fixation in the TCP component. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Vxworks +11
NVD GitHub
EPSS 1% CVSS 7.2
HIGH This Week

A remote session reuse vulnerability was discovered in HPE 3PAR StoreServ Management and Core Software Media version(s): prior to 3.5.0.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure 3Par Storeserv Management Console
NVD
EPSS 1% CVSS 6.3
MEDIUM This Month

A remote session reuse vulnerability was discovered in HPE 3PAR Service Processor version(s): prior to 5.0.5.1. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure 3Par Service Processor Firmware
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A session fixation vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows unauthorized attackers to impersonate another user if they can control the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Gitlab Jenkins +3
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A defense-in-depth check was added to mitigate inadequate session validation handling by 3rd party checkout modules. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Adobe +1
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

IBM Cloud Private 3.1.0, 3.1.1, and 3.1.2 does not invalidate session after logout which could allow a local user to impersonate another user on the system. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity.

Session Fixation IBM Information Disclosure +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

On eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.16, automatic login configuration (aka setAutoLogin) can be achieved by continuing to use a session ID after a logout, aka. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Ccu3 Firmware +1
NVD
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

IBM Security Access Manager 9.0.1 through 9.0.6 does not invalidate session tokens in a timely manner. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity.

Session Fixation IBM Information Disclosure +1
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

A vulnerability has been identified in SIEMENS LOGO!8 (6ED1052-xyyxx-0BA8 FS:01 to FS:06 / Firmware version V1.80.xx and V1.81.xx), SIEMENS LOGO!8 (6ED1052-xyy08-0BA0 FS:01 / Firmware version <. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Siemens Information Disclosure +1
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

The "action" get_sess_id in the web application of Pydio through 8.2.2 discloses the session cookie value in the response body, enabling scripts to get access to its value. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Pydio
NVD
EPSS 1% CVSS 8.8
HIGH This Week

A vulnerability in the session management functionality of the web UI for the Cisco Umbrella Dashboard could allow an authenticated, remote attacker to access the Dashboard via an active, user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Cisco Information Disclosure +1
NVD
EPSS 20% CVSS 8.8
HIGH POC THREAT This Week

Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Session Fixation Zoho +1
NVD Exploit-DB
EPSS 3% CVSS 8.1
HIGH This Week

In Pulse Secure Pulse Desktop Client and Network Connect, an attacker could access session tokens to replay and spoof sessions, and as a result, gain unauthorized access as an end user, a related. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Ivanti Session Fixation +3
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

VMware vCloud Director for Service Providers 9.5.x prior to 9.5.0.3 update resolves a Remote Session Hijack vulnerability in the Tenant and Provider Portals. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation VMware Information Disclosure +1
NVD
EPSS 2% CVSS 8.8
HIGH This Week

An issue was discovered on PHOENIX CONTACT FL NAT SMCS 8TX, FL NAT SMN 8TX, FL NAT SMN 8TX-M, and FL NAT SMN 8TX-M-DMG devices. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Session Fixation Fl Nat Smn 8Tx M Dmg Firmware +3
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Cloud Foundry Stratos, versions prior to 2.3.0, contains an insecure session that can be spoofed. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Stratos
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Cloud Foundry Stratos, versions prior to 2.3.0, deploys with a public default session store secret. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Stratos
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Insufficient session authentication in web server for Intel(R) Data Center Manager SDK before version 5.0.2 may allow an unauthenticated user to potentially enable escalation of privilege via network. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Session Fixation Intel +1
NVD
EPSS 1% CVSS 9.6
CRITICAL POC Act Now

DbNinja 3.2.7 allows session fixation via the data.php sessid parameter. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Session Fixation Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

An session fixation vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm.java that allows unauthorized attackers to impersonate another user if they. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Java Session Fixation +2
NVD
EPSS 1% CVSS 7.3
HIGH POC This Week

Session fixation exists in ZoneMinder through 1.32.3, as an attacker can fixate his own session cookies to the next logged-in user, thereby hijacking the victim's account. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Zoneminder
NVD GitHub
EPSS 1% CVSS 3.7
LOW PATCH Monitor

IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4.0, and 9.0.5.0 does not set the secure attribute on authorization tokens or session cookies. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.

Session Fixation IBM Information Disclosure +1
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation IBM Information Disclosure +1
NVD
EPSS 1% CVSS 3.7
LOW Monitor

IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 does not set the secure attribute on authorization tokens or session cookies. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Session Fixation IBM Information Disclosure +1
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 does not set the 'HttpOnly' attribute on authorization tokens or session cookies. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation XSS IBM +1
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Session Fixation in the web application for TerraMaster TOS version 3.1.03 allows attackers to control users' session cookies via JavaScript. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Terramaster Operating System
NVD
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

The client in Tryton 5.x before 5.0.1 tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Session Fixation Information Disclosure Tryton
NVD
EPSS 1% CVSS 7.5
HIGH This Week

A vulnerability in the web management interface of Brocade Fabric OS versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow attackers to intercept or manipulate a user's session ID. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Fabric Operating System
NVD
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

Gitea before 1.5.4 allows remote code execution because it does not properly validate session IDs. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation RCE Gitea
NVD GitHub
EPSS 32% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation RCE Gogs
NVD GitHub
EPSS 1% CVSS 6.3
MEDIUM This Month

Session fixation vulnerability in SYNO.PhotoStation.Auth in Synology Photo Station before 6.8.7-3481 allows remote attackers to hijack web sessions via the PHPSESSID parameter. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Synology +1
NVD
EPSS 1% CVSS 3.1
LOW Monitor

A bug causing session fixation in Nextcloud Server prior to 14.0.0, 13.0.3 and 12.0.8 could potentially allow an attacker to obtain access to password protected shares. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

Nextcloud Session Fixation Information Disclosure +1
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

A Session Fixation issue was discovered in Bigtree before 4.2.24. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Information Disclosure PHP +1
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM This Month

Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The application utilizes multiple methods of session management which could result in a denial of service to. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Denial Of Service Fcj Firmware +3
NVD
EPSS 1% CVSS 8.8
HIGH This Week

For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the password changing functionality available to authenticated users does not require the user's current password to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Lenovo Session Fixation Information Disclosure +20
NVD
EPSS 2% CVSS 8.8
HIGH This Week

Philips e-Alert Unit (non-medical device), Version R2.1 and prior. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure E Alert Firmware
NVD
EPSS 4% CVSS 8.8
HIGH POC This Week

Navarino Infinity is prone to session fixation attacks. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Authentication Bypass Infinity
NVD
EPSS 2% CVSS 8.8
HIGH POC This Week

An issue was discovered in WonderCMS before 2.5.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Wondercms
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM This Month

IBM Jazz Foundation products could allow a user with physical access to the system to log in as another user due to the server's failure to properly log out from the previous session. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Session Fixation IBM Information Disclosure +7
NVD
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

A session fixation vulnerability exists in Jenkins SAML Plugin 1.0.6 and earlier in SamlSecurityRealm.java that allows unauthorized attackers to impersonate another users if they can control the. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Java Session Fixation Jenkins +2
NVD
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

aio-libs aiohttp-session contains a Session Fixation vulnerability in load_session function for RedisStorage (see:. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Aiohttp Session
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

A vulnerability in the session identification management functionality of the web-based management interface for Cisco Meeting Server could allow an unauthenticated, local attacker to hijack a valid. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Cisco +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

A session fixation vulnerability in CA Privileged Access Manager 2.x allows remote attackers to hijack user sessions with a specially crafted request. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Privileged Access Manager
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

A Session Fixation issue exists in CodeIgniter before 3.1.9 because session.use_strict_mode in the Session Library was mishandled. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Codeigniter
NVD GitHub
EPSS 2% CVSS 8.1
HIGH PATCH This Week

An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Session Fixation Information Disclosure Symfony +2
NVD
EPSS 37% CVSS 9.8
CRITICAL POC THREAT Act Now

An issue was discovered on TP-Link TL-WR840N v5 00000005 0.9.1 3.16 v0001.0 Build 170608 Rel.58696n and TL-WR841N v13 00000013 0.9.1 4.16 v0001.0 Build 170622 Rel.64334n devices. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure TP-Link +2
NVD Exploit-DB
EPSS 1% CVSS 8.8
HIGH This Week

ClipperCMS 1.3.3 allows Session Fixation. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Clippercms
NVD GitHub
EPSS 1% CVSS 3.3
LOW POC Monitor

Prior to 2018-04-27, the reprompt feature in Amazon Echo devices could be misused by a custom Alexa skill. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Echo Show Firmware +4
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

IBM Security Guardium Big Data Intelligence (SonarG) 3.1 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation IBM Information Disclosure +1
NVD
EPSS 1% CVSS 8.0
HIGH This Week

Monstra CMS 3.0.4 has a Session Management Issue in the Users tab. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Monstra
NVD GitHub
EPSS 1% CVSS 8.0
HIGH This Week

Monstra CMS 3.0.4 has a Session Management Issue in the Administrations Tab. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure PHP +1
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM This Month

In Nessus before 7.1.0, Session Fixation exists due to insufficient session management within the application. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Nessus
NVD
EPSS 1% CVSS 8.1
HIGH This Week

An issue was discovered on Actiontec WCB6200Q before 1.1.10.20a devices. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Session Fixation Information Disclosure Wcb6200Q Firmware
NVD
EPSS 2% CVSS 5.9
MEDIUM PATCH This Month

A session fixaction vulnerability exists in Jenkins Google Login Plugin 1.3 and older in GoogleOAuth2SecurityRealm.java that allows unauthorized attackers to impersonate another user if they can. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Session Fixation Jenkins Java +3
NVD
EPSS 2% CVSS 8.1
HIGH This Week

Session fixation vulnerability in EC-CUBE (EC-CUBE 3.0.0, EC-CUBE 3.0.1, EC-CUBE 3.0.2, EC-CUBE 3.0.3, EC-CUBE 3..4, EC-CUBE 3.0.5, EC-CUBE 3.0.6, EC-CUBE 3.0.7, EC-CUBE 3.0.8, EC-CUBE 3.0.9, EC-CUBE. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Ec Cube
NVD
EPSS 4% CVSS 6.5
MEDIUM This Month

A vulnerability in the implementation of Security Assertion Markup Language (SAML) Single Sign-On (SSO) authentication for Cisco AnyConnect Secure Mobility Client for Desktop Platforms, Cisco. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Denial Of Service Cisco +2
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

VMware vRealize Automation (vRA) prior to 7.4.0 contains a vulnerability in the handling of session IDs. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure VMware +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Improper session management when using SAP Cloud Platform 2.0 (Connectivity Service and Cloud Connector). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure SAP +1
NVD
EPSS 2% CVSS 7.3
HIGH This Week

Improper Session Management in SAP Business Objects, 4.0, from 4.10, from 4.20, 4.30, CMC/BI Launchpad/Fiorified BI Launchpad. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure SAP +1
NVD
EPSS 2% CVSS 8.8
HIGH This Week

A Session Fixation issue was discovered in Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic Platform Switches. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Hirschmann Rs20 0900Mmm2Tdau +133
NVD
EPSS 0% CVSS 3.3
LOW Monitor

IBM Security Guardium 10.0 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Session Fixation IBM Information Disclosure +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

A Session Fixation Vulnerability exists in the MT4 Networks SenhaSegura Web Application 2.2.23.8 via login_if.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation PHP Information Disclosure +1
NVD
EPSS 0% CVSS 4.6
MEDIUM This Month

Session management issue in RX-V200 firmware versions prior to 09.87.17.09, RX-V100 firmware versions prior to 03.29.17.09, RX-CLV1-P firmware versions prior to 79.17.17.09, RX-CLV2-B firmware. Rated medium severity (CVSS 4.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Rx V200 Firmware +4
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Mahara 15.04 before 15.04.7 and 15.10 before 15.10.3 are vulnerable to prevent session IDs from being regenerated on login or logout. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Session Fixation Information Disclosure Mahara
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

An issue was discovered in Mahara before 15.04.14, 16.x before 16.04.8, 16.10.x before 16.10.5, and 17.x before 17.04.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Session Fixation Information Disclosure Mahara
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

/bin/login.php in the Web Panel on the Airtame HDMI dongle with firmware before 3.0 allows an attacker to set his own session id via a "Cookie: PHPSESSID=" header. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation PHP Information Disclosure +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

FreeIPA 4.x with API version 2.213 allows a remote authenticated users to bypass intended account-locking restrictions via an unlock action with an old session ID (for the same user account) that had. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Authentication Bypass Freeipa
NVD
EPSS 24% CVSS 8.1
HIGH Act Now

Honeywell NVR devices allow remote attackers to create a user account in the admin group by leveraging access to a guest account to obtain a session ID, and then sending that session ID in a. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 24.4% and no vendor patch available.

Session Fixation Honeywell Information Disclosure +7
NVD GitHub
Prev Page 3 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy