Skip to main content

Session Fixation

295 CVEs product

Monthly

CVE-2016-10405 CRITICAL Act Now

Session fixation vulnerability in D-Link DIR-600L routers (rev. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation D-Link Information Disclosure Dir 600L Firmware
NVD
CVSS 3.0
9.8
EPSS
0.6%
CVE-2017-12873 PHP CRITICAL PATCH Act Now

SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Authentication Bypass Simplesamlphp Debian Linux
NVD GitHub
CVSS 3.0
9.8
EPSS
0.7%
CVE-2017-12868 PHP CRITICAL PATCH Act Now

The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Authentication Bypass PHP Simplesamlphp
NVD GitHub
CVSS 3.0
9.8
EPSS
0.8%
CVE-2017-12965 CRITICAL POC THREAT Emergency

Session fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 22.2%.

Session Fixation Information Disclosure Apache2Triad
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
22.2%
Threat
4.1
CVE-2015-1820 Ruby CRITICAL PATCH Act Now

REST client for Ruby (aka rest-client) before 1.8.0 allows remote attackers to conduct session fixation attacks or obtain sensitive cookie information by leveraging passage of cookies set in a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Information Disclosure Rest Client
NVD GitHub
CVSS 3.0
9.8
EPSS
3.7%
CVE-2015-1174 CRITICAL Act Now

Session fixation vulnerability in Unit4 Polska TETA Web (formerly TETA Galactica) 22.62.3.4 and earlier allows remote attackers to hijack web sessions via a session id. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Teta Web
NVD
CVSS 3.0
9.8
EPSS
0.6%
CVE-2016-9981 HIGH PATCH This Week

IBM AppScan Enterprise Edition 9.0 contains an unspecified vulnerability that could allow an attacker to hijack a valid user's session. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Session Fixation IBM Information Disclosure Security Appscan
NVD
CVSS 3.0
8.1
EPSS
0.5%
CVE-2016-8638 PyPI CRITICAL PATCH Act Now

A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Information Disclosure Ipsilon
NVD
CVSS 3.0
9.1
EPSS
7.1%
CVE-2017-10600 MEDIUM This Month

ubuntu-image 1.0 before 2017-07-07, when invoked as non-root, creates files in the resulting image with the uid of the invoking user. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Ubuntu Session Fixation Information Disclosure Ubuntu Image
NVD
CVSS 3.0
5.9
EPSS
0.0%
CVE-2017-2145 MEDIUM This Month

Session fixation vulnerability in Cybozu Garoon 4.0.0 to 4.2.4 allows remote attackers to perform arbitrary operations via unspecified vectors. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Garoon
NVD
CVSS 3.0
5.4
EPSS
0.2%
CVE-2017-4963 HIGH This Week

An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 & v3.0.0 - v3.11.0, and UAA bosh release v26 & earlier. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Session Fixation Information Disclosure Cloud Foundry Cf Release Cloud Foundry Uaa Cloud Foundry Uaa Release
NVD
CVSS 3.0
8.1
EPSS
0.4%
CVE-2017-4014 HIGH This Week

Session Side jacking vulnerability in the server in McAfee Network Data Loss Prevention (NDLP) 9.3.x allows remote authenticated users to view, add, and remove users via modification of the HTTP. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Network Data Loss Prevention
NVD
CVSS 3.0
8.0
EPSS
0.4%
CVE-2016-0721 HIGH PATCH This Week

Session fixation vulnerability in pcsd in pcs before 0.9.157. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Information Disclosure Pcs Fedora Enterprise Linux
NVD GitHub
CVSS 3.0
8.1
EPSS
0.4%
CVE-2017-5656 Maven HIGH PATCH This Week

Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Apache Information Disclosure Cxf
NVD
CVSS 3.0
7.5
EPSS
2.4%
CVE-2017-1152 MEDIUM PATCH This Month

IBM Financial Transaction Manager 3.0.1 and 3.0.2 does not properly update the SESSIONID with each request, which could allow a user to obtain the ID in further attacks against the system. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Session Fixation IBM Information Disclosure Financial Transaction Manager
NVD
CVSS 3.0
4.3
EPSS
0.1%
CVE-2017-6412 HIGH POC This Week

In Sophos Web Appliance (SWA) before 4.3.1.2, Session Fixation could occur, aka NSWA-1310. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Session Fixation Sophos Information Disclosure Web Appliance
NVD Exploit-DB
CVSS 3.0
8.1
EPSS
0.8%
CVE-2016-9125 CRITICAL PATCH Act Now

Revive Adserver before 3.2.3 suffers from session fixation, by allowing arbitrary session identifiers to be forced and, at the same time, by not invalidating the existing session upon a successful. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Information Disclosure Revive Adserver
NVD GitHub
CVSS 3.0
9.8
EPSS
1.1%
CVE-2017-5831 MEDIUM PATCH This Month

Session fixation vulnerability in the forgot password mechanism in Revive Adserver before 4.0.1, when setting a new password, allows remote attackers to hijack web sessions via the session ID. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable.

Session Fixation Information Disclosure Revive Adserver
NVD
CVSS 3.0
5.9
EPSS
0.2%
CVE-2016-10205 HIGH POC This Week

Session fixation vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack web sessions via the ZMSESSID cookie. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Zoneminder
NVD
CVSS 3.0
7.3
EPSS
0.7%
CVE-2017-5141 MEDIUM This Month

An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Honeywell Information Disclosure Xl Web Ii Controller
NVD
CVSS 3.0
6.0
EPSS
0.5%
CVE-2016-9703 LOW PATCH Monitor

IBM Security Identity Manager Virtual Appliance does not invalidate session tokens which could allow an unauthorized user with physical access to the work station to obtain sensitive information. Rated low severity (CVSS 2.4), this vulnerability is no authentication required, low attack complexity.

Session Fixation IBM Information Disclosure Security Identity Manager Virtual Appliance
NVD
CVSS 3.0
2.4
EPSS
0.1%
CVE-2016-6043 HIGH PATCH This Week

Tivoli Storage Manager Operations Center could allow a local user to take over a previously logged in user due to session expiration not being enforced. Rated high severity (CVSS 7.0).

Session Fixation Information Disclosure Tivoli Storage Manager
NVD
CVSS 3.0
7.0
EPSS
0.0%
CVE-2016-6040 MEDIUM PATCH This Month

IBM Jazz Foundation could allow an authenticated user to take over a previously logged in user due to session expiration not being enforced. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable.

Session Fixation IBM Information Disclosure Rational Collaborative Lifecycle Management
NVD
CVSS 3.0
5.0
EPSS
0.2%
CVE-2014-4789 MEDIUM PATCH This Month

Session fixation vulnerability in IBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 allows remote attackers to hijack. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.

IBM Information Disclosure Session Fixation Initiate Master Data Service
NVD
CVSS 2.0
6.8
EPSS
0.5%
CVE-2026-40082 MEDIUM This Month

Cacti, the network monitoring and graphing tool, received a security fix in Alpine Linux package version 1.2.31-0. The specific vulnerability class, technical root cause, and impact scope are not disclosed in the available intelligence. No CVSS score, CWE identifier, or advisory narrative accompanies this CVE at time of analysis, making independent severity assessment impossible from provided data alone.

Information Disclosure Session Fixation Cacti
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.2%
EPSS 1% CVSS 9.8
CRITICAL Act Now

Session fixation vulnerability in D-Link DIR-600L routers (rev. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation D-Link Information Disclosure +1
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Authentication Bypass Simplesamlphp +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Authentication Bypass PHP +1
NVD GitHub
EPSS 22% 4.1 CVSS 9.8
CRITICAL POC THREAT Emergency

Session fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 22.2%.

Session Fixation Information Disclosure Apache2Triad
NVD Exploit-DB
EPSS 4% CVSS 9.8
CRITICAL PATCH Act Now

REST client for Ruby (aka rest-client) before 1.8.0 allows remote attackers to conduct session fixation attacks or obtain sensitive cookie information by leveraging passage of cookies set in a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Information Disclosure Rest Client
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

Session fixation vulnerability in Unit4 Polska TETA Web (formerly TETA Galactica) 22.62.3.4 and earlier allows remote attackers to hijack web sessions via a session id. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Teta Web
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

IBM AppScan Enterprise Edition 9.0 contains an unspecified vulnerability that could allow an attacker to hijack a valid user's session. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Session Fixation IBM Information Disclosure +1
NVD
EPSS 7% CVSS 9.1
CRITICAL PATCH Act Now

A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Information Disclosure Ipsilon
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

ubuntu-image 1.0 before 2017-07-07, when invoked as non-root, creates files in the resulting image with the uid of the invoking user. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Ubuntu Session Fixation Information Disclosure +1
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Session fixation vulnerability in Cybozu Garoon 4.0.0 to 4.2.4 allows remote attackers to perform arbitrary operations via unspecified vectors. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Garoon
NVD
EPSS 0% CVSS 8.1
HIGH This Week

An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 & v3.0.0 - v3.11.0, and UAA bosh release v26 & earlier. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Session Fixation Information Disclosure Cloud Foundry Cf Release +2
NVD
EPSS 0% CVSS 8.0
HIGH This Week

Session Side jacking vulnerability in the server in McAfee Network Data Loss Prevention (NDLP) 9.3.x allows remote authenticated users to view, add, and remove users via modification of the HTTP. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Network Data Loss Prevention
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Session fixation vulnerability in pcsd in pcs before 0.9.157. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Information Disclosure Pcs +2
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Apache Information Disclosure +1
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

IBM Financial Transaction Manager 3.0.1 and 3.0.2 does not properly update the SESSIONID with each request, which could allow a user to obtain the ID in further attacks against the system. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Session Fixation IBM Information Disclosure +1
NVD
EPSS 1% CVSS 8.1
HIGH POC This Week

In Sophos Web Appliance (SWA) before 4.3.1.2, Session Fixation could occur, aka NSWA-1310. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Session Fixation Sophos Information Disclosure +1
NVD Exploit-DB
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Revive Adserver before 3.2.3 suffers from session fixation, by allowing arbitrary session identifiers to be forced and, at the same time, by not invalidating the existing session upon a successful. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Information Disclosure Revive Adserver
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Session fixation vulnerability in the forgot password mechanism in Revive Adserver before 4.0.1, when setting a new password, allows remote attackers to hijack web sessions via the session ID. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable.

Session Fixation Information Disclosure Revive Adserver
NVD
EPSS 1% CVSS 7.3
HIGH POC This Week

Session fixation vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack web sessions via the ZMSESSID cookie. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Zoneminder
NVD
EPSS 0% CVSS 6.0
MEDIUM This Month

An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation Honeywell Information Disclosure +1
NVD
EPSS 0% CVSS 2.4
LOW PATCH Monitor

IBM Security Identity Manager Virtual Appliance does not invalidate session tokens which could allow an unauthorized user with physical access to the work station to obtain sensitive information. Rated low severity (CVSS 2.4), this vulnerability is no authentication required, low attack complexity.

Session Fixation IBM Information Disclosure +1
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Tivoli Storage Manager Operations Center could allow a local user to take over a previously logged in user due to session expiration not being enforced. Rated high severity (CVSS 7.0).

Session Fixation Information Disclosure Tivoli Storage Manager
NVD
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

IBM Jazz Foundation could allow an authenticated user to take over a previously logged in user due to session expiration not being enforced. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable.

Session Fixation IBM Information Disclosure +1
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Session fixation vulnerability in IBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 allows remote attackers to hijack. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.

IBM Information Disclosure Session Fixation +1
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cacti, the network monitoring and graphing tool, received a security fix in Alpine Linux package version 1.2.31-0. The specific vulnerability class, technical root cause, and impact scope are not disclosed in the available intelligence. No CVSS score, CWE identifier, or advisory narrative accompanies this CVE at time of analysis, making independent severity assessment impossible from provided data alone.

Information Disclosure Session Fixation Cacti
NVD GitHub VulDB
Prev Page 4 of 4

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy