Total
359 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-8517 | 1 Vvveb | 1 Vvveb | 2025-08-27 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was detected in givanz Vvveb 1.0.6.1. Impacted is an unknown function. The manipulation results in session fixiation. The attack can be launched remotely. The exploit is now public and may be used. Upgrading to version 1.0.7 is recommended to address this issue. The patch is identified as d4b1e030066417b77d15b4ac505eed5ae7bf2c5e. You should upgrade the affected component. | |||||
| CVE-2025-53895 | 1 Zitadel | 1 Zitadel | 2025-08-26 | N/A | 8.8 HIGH |
| ZITADEL is an open source identity management system. Starting in version 2.53.0 and prior to versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14, vulnerability in ZITADEL's session management API allows any authenticated user to update a session if they know its ID, due to a missing permission check. This flaw enables session hijacking, allowing an attacker to impersonate another user and access sensitive resources. Versions prior to `2.53.0` are not affected, as they required the session token for updates. Versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14 fix the issue. | |||||
| CVE-2025-46815 | 1 Zitadel | 1 Zitadel | 2025-08-26 | N/A | 8.0 HIGH |
| The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session. However, prior to versions 3.0.0, 2.71.9, and 2.70.10, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application’s URI to retrieve the id and token, enabling them to authenticate on behalf of the user. It's important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API. Versions 3.0.0, 2.71.9, and 2.70.10 contain a fix for the issue. No known workarounds other than upgrading are available. | |||||
| CVE-2025-29928 | 1 Goauthentik | 1 Authentik | 2025-08-21 | N/A | 8.0 HIGH |
| authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik. authentik 2025.2.3 and 2024.12.4 fix this issue. Switching to the cache-based session storage until the authentik instance can be upgraded is recommended. This will however also delete all existing sessions and users will have to re-authenticate. | |||||
| CVE-2025-36117 | 1 Ibm | 1 Db2 Mirror For I | 2025-08-07 | N/A | 6.3 MEDIUM |
| IBM Db2 Mirror for i 7.4, 7.5, and 7.6 does not disallow the session id after use which could allow an authenticated user to impersonate another user on the system. | |||||
| CVE-2023-38002 | 1 Ibm | 1 Storage Scale | 2025-08-04 | N/A | 5.0 MEDIUM |
| IBM Storage Scale 5.1.0.0 through 5.1.9.2 could allow an authenticated user to steal or manipulate an active session to gain access to the system. IBM X-Force ID: 260208. | |||||
| CVE-2025-53102 | 2025-07-31 | N/A | N/A | ||
| Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the `stable` branch and version 3.5.0.beta.8 on the `tests-passed` branch, upon issuing a physical security key for 2FA, the server generates a WebAuthn challenge, which the client signs. The challenge is not cleared from the user’s session after authentication, potentially allowing reuse and increasing security risk. This is fixed in versions 3.4.7 and 3.5.0.beta.8. | |||||
| CVE-2025-52689 | 2025-07-16 | N/A | 9.8 CRITICAL | ||
| Successful exploitation of the vulnerability could allow an unauthenticated attacker to obtain a valid session ID with administrator privileges by spoofing the login request, potentially allowing the attacker to modify the behaviour of the access point. | |||||
| CVE-2018-1000519 | 1 Aio-libs | 1 Aiohttp Session | 2025-07-11 | 4.3 MEDIUM | 6.5 MEDIUM |
| aio-libs aiohttp-session contains a Session Fixation vulnerability in load_session function for RedisStorage (see: https://github.com/aio-libs/aiohttp-session/blob/master/aiohttp_session/redis_storage.py#L42) that can result in Session Hijacking. This attack appear to be exploitable via Any method that allows setting session cookies (?session=<>, or meta tags or script tags with Set-Cookie). | |||||
| CVE-2024-23590 | 1 Apache | 1 Kylin | 2025-07-10 | N/A | 9.1 CRITICAL |
| Session Fixation vulnerability in Apache Kylin. This issue affects Apache Kylin: from 2.0.0 through 4.x. Users are recommended to upgrade to version 5.0.0 or above, which fixes the issue. | |||||
| CVE-2021-3740 | 1 Chatwoot | 1 Chatwoot | 2025-07-10 | N/A | 6.8 MEDIUM |
| A Session Fixation vulnerability exists in chatwoot/chatwoot versions prior to 2.4.0. The application does not invalidate existing sessions on other devices when a user changes their password, allowing old sessions to persist. This can lead to unauthorized access if an attacker has obtained a session token. | |||||
| CVE-2025-53021 | 1 Moodle | 1 Moodle | 2025-07-09 | N/A | 4.2 MEDIUM |
| A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2022-40916 | 1 Tiny File Manager Project | 1 Tiny File Manager | 2025-07-03 | N/A | 9.8 CRITICAL |
| Tiny File Manager v2.4.7 and below is vulnerable to session fixation. | |||||
| CVE-2024-57052 | 1 Youdiancms | 1 Youdiancms | 2025-06-27 | N/A | 9.8 CRITICAL |
| An issue in youdiancms v.9.5.20 and before allows a remote attacker to escalate privileges via the sessionID parameter in the index.php file. | |||||
| CVE-2023-50920 | 1 Gl-inet | 24 Gl-a1300, Gl-a1300 Firmware, Gl-ar300m and 21 more | 2025-06-17 | N/A | 5.5 MEDIUM |
| An issue was discovered on GL.iNet devices before version 4.5.0. They assign the same session ID after each user reboot, allowing attackers to share session identifiers between different sessions and bypass authentication or access control measures. Attackers can impersonate legitimate users or perform unauthorized actions. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7. | |||||
| CVE-2024-2260 | 1 Zenml | 1 Zenml | 2025-06-12 | N/A | 4.2 MEDIUM |
| A session fixation vulnerability exists in the zenml-io/zenml application, where JWT tokens used for user authentication are not invalidated upon logout. This flaw allows an attacker to bypass authentication mechanisms by reusing a victim's JWT token. | |||||
| CVE-2018-12071 | 1 Codeigniter | 1 Codeigniter | 2025-06-09 | 7.5 HIGH | 9.8 CRITICAL |
| A Session Fixation issue exists in CodeIgniter before 3.1.9 because session.use_strict_mode in the Session Library was mishandled. | |||||
| CVE-2024-13967 | 2025-06-04 | N/A | 8.8 HIGH | ||
| This vulnerability allows the successful attacker to gain unauthorized access to a configuration web page delivered by the integrated web Server of EIBPORT. This issue affects EIBPORT V3 KNX: through 3.9.8; EIBPORT V3 KNX GSM: through 3.9.8. | |||||
| CVE-2023-45718 | 1 Hcltech | 1 Sametime | 2025-06-03 | N/A | 3.9 LOW |
| Sametime is impacted by a failure to invalidate sessions. The application is setting sensitive cookie values in a persistent manner in Sametime Web clients. When this happens, cookie values can remain valid even after a user has closed out their session. | |||||
| CVE-2024-23679 | 1 Enonic | 1 Xp | 2025-05-30 | N/A | 9.8 CRITICAL |
| Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes. | |||||