Search Results (415 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2022-24745 1 Shopware 1 Shopware 2025-04-23 4.8 Medium
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions guest sessions are shared between customers when HTTP cache is enabled. This can lead to inconsistent experiences for guest users. Setups with Varnish are not affected by this issue. This issue has been resolved in version 6.4.8.2. Users unable to upgrade should disable the HTTP Cache.
CVE-2022-24781 1 Geon Project 1 Geon 2025-04-23 7.1 High
Geon is a board game based on solving questions about the Pythagorean Theorem. Malicious users can obtain the uuid from other users, spoof that uuid through the browser console and become co-owners of the target session. This issue is patched in version 1.1.0. No known workaround exists.
CVE-2022-38628 1 Niceforyou 2 Linear Emerge E3 Access Control, Linear Emerge E3 Access Control Firmware 2025-04-22 6.1 Medium
Nortek Linear eMerge E3-Series 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e were discovered to contain a cross-site scripting (XSS) vulnerability which is chained with a local session fixation. This vulnerability allows attackers to escalate privileges via unspecified vectors.
CVE-2016-9703 1 Ibm 1 Security Identity Manager Virtual Appliance 2025-04-20 N/A
IBM Security Identity Manager Virtual Appliance does not invalidate session tokens which could allow an unauthorized user with physical access to the work station to obtain sensitive information.
CVE-2015-1820 2 Redhat, Rest-client Project 4 Cloudforms Managementengine, Satellite, Satellite Capsule and 1 more 2025-04-20 N/A
REST client for Ruby (aka rest-client) before 1.8.0 allows remote attackers to conduct session fixation attacks or obtain sensitive cookie information by leveraging passage of cookies set in a response to a redirect.
CVE-2017-5831 1 Revive-adserver 1 Revive Adserver 2025-04-20 N/A
Session fixation vulnerability in the forgot password mechanism in Revive Adserver before 4.0.1, when setting a new password, allows remote attackers to hijack web sessions via the session ID.
CVE-2017-4014 1 Mcafee 1 Network Data Loss Prevention 2025-04-20 N/A
Session Side jacking vulnerability in the server in McAfee Network Data Loss Prevention (NDLP) 9.3.x allows remote authenticated users to view, add, and remove users via modification of the HTTP request.
CVE-2015-4594 1 Eclinicalworks 1 Population Health 2025-04-20 N/A
eClinicalWorks Population Health (CCMR) suffers from a session fixation vulnerability. When authenticating a user, the application does not assign a new session ID, making it possible to use an existent session ID.
CVE-2017-10600 1 Canonical 1 Ubuntu-image 2025-04-20 N/A
ubuntu-image 1.0 before 2017-07-07, when invoked as non-root, creates files in the resulting image with the uid of the invoking user. When the resulting image is booted, a local attacker with the same uid as the image creator has unintended access to cloud-init and snapd directories.
CVE-2017-12225 1 Cisco 1 Prime Lan Management Solution 2025-04-20 N/A
A vulnerability in the web functionality of the Cisco Prime LAN Management Solution could allow an authenticated, remote attacker to hijack another user's administrative session, aka a Session Fixation Vulnerability. The vulnerability is due to the reuse of a preauthentication session token as part of the postauthentication session. An attacker could exploit this vulnerability by obtaining the presession token ID. An exploit could allow an attacker to hijack an existing user's session. Known Affected Releases 4.2(5). Cisco Bug IDs: CSCvf58392.
CVE-2017-12873 2 Debian, Simplesamlphp 2 Debian Linux, Simplesamlphp 2025-04-20 N/A
SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.
CVE-2017-14163 1 Mahara 1 Mahara 2025-04-20 N/A
An issue was discovered in Mahara before 15.04.14, 16.x before 16.04.8, 16.10.x before 16.10.5, and 17.x before 17.04.3. When one closes the browser without logging out of Mahara, the value in the usr_session table is not removed. If someone were to open a browser, visit the Mahara site, and adjust the 'mahara' cookie to the old value, they can get access to the user's account.
CVE-2017-4963 1 Pivotal Software 3 Cloud Foundry Cf-release, Cloud Foundry Uaa, Cloud Foundry Uaa-release 2025-04-20 N/A
An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 & v3.0.0 - v3.11.0, and UAA bosh release v26 & earlier versions. UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers.
CVE-2016-0721 3 Clusterlabs, Fedoraproject, Redhat 3 Pcs, Fedora, Enterprise Linux 2025-04-20 N/A
Session fixation vulnerability in pcsd in pcs before 0.9.157.
CVE-2016-8638 2 Ipsilon Project, Redhat 2 Ipsilon, Enterprise Linux 2025-04-20 N/A
A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users. This issue is related to how it tracks sessions, and allows an unauthenticated attacker to view and terminate active sessions from other users. It is also called a "SAML2 multi-session vulnerability."
CVE-2017-2145 1 Cybozu 1 Garoon 2025-04-20 N/A
Session fixation vulnerability in Cybozu Garoon 4.0.0 to 4.2.4 allows remote attackers to perform arbitrary operations via unspecified vectors.
CVE-2017-15304 1 Airtame 2 Hdmi Dongle, Hdmi Dongle Firmware 2025-04-20 N/A
/bin/login.php in the Web Panel on the Airtame HDMI dongle with firmware before 3.0 allows an attacker to set his own session id via a "Cookie: PHPSESSID=" header. This can be used to achieve persistent access to the admin panel even after an admin password change.
CVE-2017-14263 1 Honeywell 14 Enterprise Dvr, Enterprise Dvr Firmware, Fusion Iv Rev C and 11 more 2025-04-20 N/A
Honeywell NVR devices allow remote attackers to create a user account in the admin group by leveraging access to a guest account to obtain a session ID, and then sending that session ID in a userManager.addUser request to the /RPC2 URI. The attacker can login to the device with that new user account to fully control the device.
CVE-2016-9125 1 Revive-adserver 1 Revive Adserver 2025-04-20 N/A
Revive Adserver before 3.2.3 suffers from session fixation, by allowing arbitrary session identifiers to be forced and, at the same time, by not invalidating the existing session upon a successful authentication. Under some circumstances, that could have been an opportunity for an attacker to steal an authenticated session.
CVE-2017-6412 1 Sophos 1 Web Appliance 2025-04-20 N/A
In Sophos Web Appliance (SWA) before 4.3.1.2, Session Fixation could occur, aka NSWA-1310.