Total
338 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-44017 | 1 Simmeth | 1 Lieferantenmanager | 2025-04-15 | N/A | 7.5 HIGH |
| An issue was discovered in Simmeth Lieferantenmanager before 5.6. Due to errors in session management, an attacker can log back into a victim's account after the victim logged out - /LMS/LM/#main can be used for this. This is due to the credentials not being cleaned from the local storage after logout. | |||||
| CVE-2014-4789 | 1 Ibm | 1 Initiate Master Data Service | 2025-04-12 | 6.8 MEDIUM | N/A |
| Session fixation vulnerability in IBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 allows remote attackers to hijack web sessions via unspecified vectors. | |||||
| CVE-2022-36437 | 1 Hazelcast | 2 Hazelcast, Hazelcast-jet | 2025-04-11 | N/A | 9.1 CRITICAL |
| The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3. | |||||
| CVE-2025-0126 | 2025-04-11 | N/A | N/A | ||
| When configured using SAML, a session fixation vulnerability in the GlobalProtect™ login enables an attacker to impersonate a legitimate authorized user and perform actions as that GlobalProtect user. This requires the legitimate user to first click on a malicious link provided by the attacker. The SAML login for the PAN-OS® management interface is not affected. Additionally, this issue does not affect Cloud NGFW and all Prisma® Access instances are proactively patched. | |||||
| CVE-2024-23193 | 1 Open-xchange | 1 Ox App Suite | 2025-04-10 | N/A | 5.3 MEDIUM |
| E-Mails exported as PDF were stored in a cache that did not consider specific session information for the related user account. Users of the same service node could access other users E-Mails in case they were exported as PDF for a brief moment until caches were cleared. Successful exploitation requires good timing and modification of multiple request parameters. Please deploy the provided updates and patch releases. The cache for PDF exports now takes user session information into consideration when performing authorization decisions. No publicly available exploits are known. | |||||
| CVE-2024-11317 | 1 Abb | 38 Aspect-ent-12, Aspect-ent-12 Firmware, Aspect-ent-2 and 35 more | 2025-04-10 | N/A | 10.0 CRITICAL |
| Session Fixation vulnerabilities allow an attacker to fix a users session identifier before login providing an opportunity for session takeover on a product. Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02 | |||||
| CVE-2022-43529 | 1 Arubanetworks | 1 Aruba Edgeconnect Enterprise Orchestrator | 2025-04-10 | N/A | 4.6 MEDIUM |
| A vulnerability in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an remote attacker to persist a session after a password reset or similar session clearing event. Successful exploitation of this vulnerability could allow an authenticated attacker to remain on the system with the permissions of their current session after the session should be invalidated in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators - Orchestrator 9.2.1.40179 and below, - Orchestrator 9.1.4.40436 and below, - Orchestrator 9.0.7.40110 and below, - Orchestrator 8.10.23.40015 and below, - Any older branches of Orchestrator not specifically mentioned. | |||||
| CVE-2008-3222 | 2 Drupal, Fedoraproject | 2 Drupal, Fedora | 2025-04-09 | 5.8 MEDIUM | N/A |
| Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessions via unknown vectors. | |||||
| CVE-2007-4188 | 1 Joomla | 1 Joomla\! | 2025-04-09 | 9.3 HIGH | N/A |
| Session fixation vulnerability in Joomla! before 1.0.13 (aka Sunglow) allows remote attackers to hijack administrative web sessions via unspecified vectors. | |||||
| CVE-2021-29368 | 1 Cuppacms | 1 Cuppacms | 2025-04-03 | N/A | 8.8 HIGH |
| Session fixation vulnerability in CuppaCMS thru commit 4c9b742b23b924cf4c1f943f48b278e06a17e297 on November 12, 2019 allows attackers to gain access to arbitrary user sessions. | |||||
| CVE-1999-0428 | 1 Openssl | 1 Openssl | 2025-04-03 | 7.5 HIGH | N/A |
| OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls. | |||||
| CVE-2001-1534 | 1 Apache | 1 Http Server | 2025-04-03 | 2.1 LOW | N/A |
| mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication. | |||||
| CVE-2023-24427 | 1 Jenkins | 1 Bitbucket Oauth | 2025-04-02 | N/A | 9.8 CRITICAL |
| Jenkins Bitbucket OAuth Plugin 0.12 and earlier does not invalidate the previous session on login. | |||||
| CVE-2023-24424 | 1 Jenkins | 1 Openid Connect Authentication | 2025-04-02 | N/A | 8.8 HIGH |
| Jenkins OpenId Connect Authentication Plugin 2.4 and earlier does not invalidate the previous session on login. | |||||
| CVE-2023-24456 | 1 Jenkins | 1 Keycloak Authentication | 2025-04-02 | N/A | 9.8 CRITICAL |
| Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login. | |||||
| CVE-2025-27661 | 1 Printerlogic | 2 Vasion Print, Virtual Appliance | 2025-04-01 | N/A | 9.1 CRITICAL |
| Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Session Fixation OVE-20230524-0004. | |||||
| CVE-2025-29928 | 2025-03-28 | N/A | 8.0 HIGH | ||
| authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik. authentik 2025.2.3 and 2024.12.4 fix this issue. Switching to the cache-based session storage until the authentik instance can be upgraded is recommended. This will however also delete all existing sessions and users will have to re-authenticate. | |||||
| CVE-2023-30307 | 2025-03-27 | N/A | 5.3 MEDIUM | ||
| An issue discovered in TP-LINK TL-R473GP-AC, TP-LINK XDR6020, TP-LINK TL-R479GP-AC, TP-LINK TL-R4239G, TP-LINK TL-WAR1200L, and TP-LINK TL-R476G routers allows attackers to hijack TCP sessions which could lead to a denial of service. | |||||
| CVE-2023-50270 | 1 Apache | 1 Dolphinscheduler | 2025-03-18 | N/A | 6.5 MEDIUM |
| Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change. Users are recommended to upgrade to version 3.2.1, which fixes this issue. | |||||
| CVE-2024-56529 | 2025-03-14 | N/A | 7.1 HIGH | ||
| Mailcow through 2024-11b has a session fixation vulnerability in the web panel. It allows remote attackers to set a session identifier when HSTS is disabled on a victim's browser. After a user logs in, they are authenticated and the session identifier is valid. Then, a remote attacker can access the victim's web panel with the same session identifier. | |||||