Total
383 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-37159 | 1 Hpe | 1 Arubaos-cx | 2025-12-04 | 5.8 Medium |
| A vulnerability in the web management interface of the AOS-CX OS user authentication service could allow an authenticated remote attacker to hijack an active user session. Successful exploitation may enable the attacker to maintain unauthorized access to the session, potentially leading to the view or modification of sensitive configuration data. | ||||
| CVE-2025-12390 | 1 Redhat | 1 Build Keycloak | 2025-12-02 | 6 Medium |
| A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user. | ||||
| CVE-2025-63529 | 2 Blood Bank Management System Project, Shridharshukl | 2 Blood Bank Management System, Blood Bank Management System | 2025-12-02 | 6.1 Medium |
| A session fixation vulnerability exists in Blood Bank Management System 1.0 in login.php that allows an attacker to set or predict a user's session identifier prior to authentication. When the victim logs in, the application continues to use the attacker-supplied session ID rather than generating a new one, enabling the attacker to hijack the authenticated session and gain unauthorized access to the victim's account. | ||||
| CVE-2025-65681 | 1 Edly | 1 Tutor | 2025-12-01 | 3.3 Low |
| An issue was discovered in Overhang.IO (tutor-open-edx) (overhangio/tutor) 20.0.2 allowing local unauthorized attackers to gain access to sensitive information due to the absence of proper cache-control HTTP headers and client-side session checks. | ||||
| CVE-2025-56400 | 3 Apple, Google, Tuya | 5 Ios, Android, Smart and 2 more | 2025-12-01 | 8.8 High |
| Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa account to a victim's Tuya account. The applications fail to validate the OAuth state parameter during the account linking flow, enabling a cross-site request forgery (CSRF)-like attack. By tricking the victim into clicking a crafted authorization link, an attacker can complete the OAuth flow on the victim's behalf, resulting in unauthorized Alexa access to the victim's Tuya-connected devices. This affects users regardless of prior Alexa linkage and does not require the Tuya application to be active at the time. Successful exploitation may allow remote control of devices such as cameras, doorbells, door locks, or alarms. | ||||
| CVE-2024-23679 | 1 Enonic | 1 Xp | 2025-11-29 | 9.8 Critical |
| Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes. | ||||
| CVE-2025-63216 | 1 Itel | 1 Dab Gateway | 2025-11-21 | 10 Critical |
| The Itel DAB Gateway (IDGat build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any other device running the same firmware, even if the passwords and networks are different. This allows full compromise of affected devices. | ||||
| CVE-2025-63224 | 1 Itel | 1 Dab Encoder | 2025-11-21 | 10 Critical |
| The Itel DAB Encoder (IDEnc build 25aec8d) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any other device running the same firmware, even if the passwords and networks are different. This allows full compromise of affected devices. | ||||
| CVE-2024-7341 | 1 Redhat | 8 Build Keycloak, Build Of Keycloak, Enterprise Linux and 5 more | 2025-11-13 | 7.1 High |
| A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation. | ||||
| CVE-2025-55668 | 1 Apache | 1 Tomcat | 2025-11-04 | 6.5 Medium |
| Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. | ||||
| CVE-2024-28144 | 2025-11-03 | 5.5 Medium | ||
| An attacker who can spoof the IP address and the User-Agent of a logged-in user can takeover the session because of flaws in the self-developed session management. If two users access the web interface from the same IP they are logged in as the other user. | ||||
| CVE-2025-64100 | 1 Ckan | 1 Ckan | 2025-10-30 | 6.1 Medium |
| CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, session ids could be fixed by an attacker if the site is configured with server-side session storage (CKAN uses cookie-based session storage by default). The attacker would need to either set a cookie on the victim's browser or steal the victim's currently valid session. Session identifiers are now regenerated after each login. This vulnerability has been fixed in CKAN 2.10.9 and 2.11.4 | ||||
| CVE-2024-49709 | 1 Softcom.wroc | 1 Iksoris | 2025-10-28 | 4.4 Medium |
| Internet Starter, one of SoftCOM iKSORIS system modules, allows for setting an arbitrary session cookie value. An attacker with an access to user's browser might set such a cookie, wait until the user logs in and then use the same cookie to take over the account. Moreover, the system does not destroy the old sessions when creating new ones, what expands the time frame in which an attack might be performed. This vulnerability has been patched in version 79.0 | ||||
| CVE-2025-56746 | 1 Creativeitem | 1 Academy Lms | 2025-10-23 | 2.2 Low |
| Creativeitem Academy LMS up to and including 5.13 does not regenerate session IDs upon successful authentication, enabling session fixation attacks where attackers can hijack user sessions by predetermining session identifiers. | ||||
| CVE-2025-10228 | 1 Rolantis Information Technologies | 1 Agentis | 2025-10-20 | 8.8 High |
| Session Fixation vulnerability in Rolantis Information Technologies Agentis allows Session Hijacking.This issue affects Agentis: before 4.44. | ||||
| CVE-2025-51471 | 1 Ollama | 1 Ollama | 2025-10-17 | 6.9 Medium |
| Cross-Domain Token Exposure in server.auth.getAuthorizationToken in Ollama 0.6.7 allows remote attackers to steal authentication tokens and bypass access controls via a malicious realm value in a WWW-Authenticate header returned by the /api/pull endpoint. | ||||
| CVE-2024-37829 | 1 Getoutline | 1 Outline | 2025-10-10 | 8.8 High |
| An issue in Outline <= v0.76.1 allows attackers to execute a session hijacking attack via user interaction with a crafted magic sign-in link. | ||||
| CVE-2024-42207 | 1 Hcltech | 1 Dryice Iautomate | 2025-10-10 | 5.5 Medium |
| HCL iAutomate is affected by a session fixation vulnerability. An attacker could hijack a victim's session ID from their authenticated session. | ||||
| CVE-2025-0251 | 1 Hcltech | 1 Intelliops Event Management | 2025-10-09 | 2.6 Low |
| HCL IEM is affected by a concurrent login vulnerability. The application allows multiple concurrent sessions using the same user credentials, which may introduce security risks. | ||||
| CVE-2025-0253 | 1 Hcltech | 1 Intelliops Event Management | 2025-10-09 | 2 Low |
| HCL IEM is affected by a cookie attribute not set vulnerability due to inconsistency of certain security-related configurations which could increase exposure to potential vulnerabilities. | ||||