Total
353 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-13279 | 1 Two-factor Authentication Project | 1 Two-factor Authentication | 2025-09-02 | N/A | 9.8 CRITICAL |
| Session Fixation vulnerability in Drupal Two-factor Authentication (TFA) allows Session Fixation.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.8.0. | |||||
| CVE-2025-4644 | 2025-08-29 | N/A | N/A | ||
| A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. A malicious attacker could create a new account, save its JSON Web Token (JWT), and then delete the account, which did not invalidate the JWT. As a result, the next newly created user would receive the same identifier, allowing the attacker to reuse the JWT to authenticate and perform actions as that user. This issue has been fixed in version 3.44.0 of Payload. | |||||
| CVE-2025-8517 | 1 Vvveb | 1 Vvveb | 2025-08-27 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was detected in givanz Vvveb 1.0.6.1. Impacted is an unknown function. The manipulation results in session fixiation. The attack can be launched remotely. The exploit is now public and may be used. Upgrading to version 1.0.7 is recommended to address this issue. The patch is identified as d4b1e030066417b77d15b4ac505eed5ae7bf2c5e. You should upgrade the affected component. | |||||
| CVE-2025-53895 | 1 Zitadel | 1 Zitadel | 2025-08-26 | N/A | 8.8 HIGH |
| ZITADEL is an open source identity management system. Starting in version 2.53.0 and prior to versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14, vulnerability in ZITADEL's session management API allows any authenticated user to update a session if they know its ID, due to a missing permission check. This flaw enables session hijacking, allowing an attacker to impersonate another user and access sensitive resources. Versions prior to `2.53.0` are not affected, as they required the session token for updates. Versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14 fix the issue. | |||||
| CVE-2025-46815 | 1 Zitadel | 1 Zitadel | 2025-08-26 | N/A | 8.0 HIGH |
| The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session. However, prior to versions 3.0.0, 2.71.9, and 2.70.10, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application’s URI to retrieve the id and token, enabling them to authenticate on behalf of the user. It's important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API. Versions 3.0.0, 2.71.9, and 2.70.10 contain a fix for the issue. No known workarounds other than upgrading are available. | |||||
| CVE-2025-29928 | 1 Goauthentik | 1 Authentik | 2025-08-21 | N/A | 8.0 HIGH |
| authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik. authentik 2025.2.3 and 2024.12.4 fix this issue. Switching to the cache-based session storage until the authentik instance can be upgraded is recommended. This will however also delete all existing sessions and users will have to re-authenticate. | |||||
| CVE-2025-55668 | 1 Apache | 1 Tomcat | 2025-08-18 | N/A | 6.5 MEDIUM |
| Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. | |||||
| CVE-2025-36117 | 1 Ibm | 1 Db2 Mirror For I | 2025-08-07 | N/A | 6.3 MEDIUM |
| IBM Db2 Mirror for i 7.4, 7.5, and 7.6 does not disallow the session id after use which could allow an authenticated user to impersonate another user on the system. | |||||
| CVE-2023-38002 | 1 Ibm | 1 Storage Scale | 2025-08-04 | N/A | 5.0 MEDIUM |
| IBM Storage Scale 5.1.0.0 through 5.1.9.2 could allow an authenticated user to steal or manipulate an active session to gain access to the system. IBM X-Force ID: 260208. | |||||
| CVE-2025-53102 | 2025-07-31 | N/A | N/A | ||
| Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the `stable` branch and version 3.5.0.beta.8 on the `tests-passed` branch, upon issuing a physical security key for 2FA, the server generates a WebAuthn challenge, which the client signs. The challenge is not cleared from the user’s session after authentication, potentially allowing reuse and increasing security risk. This is fixed in versions 3.4.7 and 3.5.0.beta.8. | |||||
| CVE-2025-51471 | 2025-07-25 | N/A | 6.9 MEDIUM | ||
| Cross-Domain Token Exposure in server.auth.getAuthorizationToken in Ollama 0.6.7 allows remote attackers to steal authentication tokens and bypass access controls via a malicious realm value in a WWW-Authenticate header returned by the /api/pull endpoint. | |||||
| CVE-2025-0253 | 2025-07-25 | N/A | 2.0 LOW | ||
| HCL IEM is affected by a cookie attribute not set vulnerability due to inconsistency of certain security-related configurations which could increase exposure to potential vulnerabilities. | |||||
| CVE-2025-0251 | 2025-07-25 | N/A | 2.6 LOW | ||
| HCL IEM is affected by a concurrent login vulnerability. The application allows multiple concurrent sessions using the same user credentials, which may introduce security risks. | |||||
| CVE-2025-52689 | 2025-07-16 | N/A | 9.8 CRITICAL | ||
| Successful exploitation of the vulnerability could allow an unauthenticated attacker to obtain a valid session ID with administrator privileges by spoofing the login request, potentially allowing the attacker to modify the behaviour of the access point. | |||||
| CVE-2018-1000519 | 1 Aio-libs | 1 Aiohttp Session | 2025-07-11 | 4.3 MEDIUM | 6.5 MEDIUM |
| aio-libs aiohttp-session contains a Session Fixation vulnerability in load_session function for RedisStorage (see: https://github.com/aio-libs/aiohttp-session/blob/master/aiohttp_session/redis_storage.py#L42) that can result in Session Hijacking. This attack appear to be exploitable via Any method that allows setting session cookies (?session=<>, or meta tags or script tags with Set-Cookie). | |||||
| CVE-2024-23590 | 1 Apache | 1 Kylin | 2025-07-10 | N/A | 9.1 CRITICAL |
| Session Fixation vulnerability in Apache Kylin. This issue affects Apache Kylin: from 2.0.0 through 4.x. Users are recommended to upgrade to version 5.0.0 or above, which fixes the issue. | |||||
| CVE-2021-3740 | 1 Chatwoot | 1 Chatwoot | 2025-07-10 | N/A | 6.8 MEDIUM |
| A Session Fixation vulnerability exists in chatwoot/chatwoot versions prior to 2.4.0. The application does not invalidate existing sessions on other devices when a user changes their password, allowing old sessions to persist. This can lead to unauthorized access if an attacker has obtained a session token. | |||||
| CVE-2025-53021 | 1 Moodle | 1 Moodle | 2025-07-09 | N/A | 4.2 MEDIUM |
| A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2022-40916 | 1 Tiny File Manager Project | 1 Tiny File Manager | 2025-07-03 | N/A | 9.8 CRITICAL |
| Tiny File Manager v2.4.7 and below is vulnerable to session fixation. | |||||
| CVE-2024-57052 | 1 Youdiancms | 1 Youdiancms | 2025-06-27 | N/A | 9.8 CRITICAL |
| An issue in youdiancms v.9.5.20 and before allows a remote attacker to escalate privileges via the sessionID parameter in the index.php file. | |||||