Vulnerabilities (CVE)

Filtered by CWE-384
Total 336 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-40916 1 Tiny File Manager Project 1 Tiny File Manager 2025-07-03 N/A 9.8 CRITICAL
Tiny File Manager v2.4.7 and below is vulnerable to session fixation.
CVE-2024-57052 1 Youdiancms 1 Youdiancms 2025-06-27 N/A 9.8 CRITICAL
An issue in youdiancms v.9.5.20 and before allows a remote attacker to escalate privileges via the sessionID parameter in the index.php file.
CVE-2025-53021 2025-06-26 N/A 4.2 MEDIUM
A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2023-50920 1 Gl-inet 24 Gl-a1300, Gl-a1300 Firmware, Gl-ar300m and 21 more 2025-06-17 N/A 5.5 MEDIUM
An issue was discovered on GL.iNet devices before version 4.5.0. They assign the same session ID after each user reboot, allowing attackers to share session identifiers between different sessions and bypass authentication or access control measures. Attackers can impersonate legitimate users or perform unauthorized actions. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7.
CVE-2024-2260 1 Zenml 1 Zenml 2025-06-12 N/A 4.2 MEDIUM
A session fixation vulnerability exists in the zenml-io/zenml application, where JWT tokens used for user authentication are not invalidated upon logout. This flaw allows an attacker to bypass authentication mechanisms by reusing a victim's JWT token.
CVE-2018-12071 1 Codeigniter 1 Codeigniter 2025-06-09 7.5 HIGH 9.8 CRITICAL
A Session Fixation issue exists in CodeIgniter before 3.1.9 because session.use_strict_mode in the Session Library was mishandled.
CVE-2024-13967 2025-06-04 N/A 8.8 HIGH
This vulnerability allows the successful attacker to gain unauthorized access to a configuration web page delivered by the integrated web Server of EIBPORT. This issue affects EIBPORT V3 KNX: through 3.9.8; EIBPORT V3 KNX GSM: through 3.9.8.
CVE-2023-45718 1 Hcltech 1 Sametime 2025-06-03 N/A 3.9 LOW
Sametime is impacted by a failure to invalidate sessions. The application is setting sensitive cookie values in a persistent manner in Sametime Web clients. When this happens, cookie values can remain valid even after a user has closed out their session.  
CVE-2024-23679 1 Enonic 1 Xp 2025-05-30 N/A 9.8 CRITICAL
Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes.
CVE-2023-52353 1 Arm 1 Mbed Tls 2025-05-30 N/A 7.5 HIGH
An issue was discovered in Mbed TLS through 3.5.1. In mbedtls_ssl_session_reset, the maximum negotiable TLS version is mishandled. For example, if the last connection negotiated TLS 1.2, then 1.2 becomes the new maximum.
CVE-2024-42171 1 Hcltech 1 Dryice Myxalytics 2025-05-16 N/A 6.4 MEDIUM
HCL MyXalytics is affected by a session fixation vulnerability. Cyber-criminals can exploit this by sending crafted URLs with a session token to access the victim's login session.
CVE-2024-42170 1 Hcltech 1 Dryice Myxalytics 2025-05-16 N/A 6.8 MEDIUM
HCL MyXalytics is affected by a session fixation vulnerability. Cyber-criminals can exploit this by sending crafted URLs with a session token to access the victim's login session.
CVE-2025-46815 2025-05-07 N/A 8.0 HIGH
The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session. However, prior to versions 3.0.0, 2.71.9, and 2.70.10, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application’s URI to retrieve the id and token, enabling them to authenticate on behalf of the user. It's important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API. Versions 3.0.0, 2.71.9, and 2.70.10 contain a fix for the issue. No known workarounds other than upgrading are available.
CVE-2022-40293 1 Phppointofsale 1 Php Point Of Sale 2025-05-06 N/A 9.8 CRITICAL
The application was vulnerable to a session fixation that could be used hijack accounts.
CVE-2022-31689 1 Vmware 1 Workspace One Assist 2025-05-01 N/A 9.8 CRITICAL
VMware Workspace ONE Assist prior to 22.10 contains a Session fixation vulnerability. A malicious actor who obtains a valid session token may be able to authenticate to the application using that token.
CVE-2025-45949 1 Phpgurukul 1 User Registration \& Login And User Management System 2025-04-30 N/A 9.8 CRITICAL
A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /loginsystem/change-password.php file of the user panel - Change Password component. Improper handling of session data allows a Session Hijacking attack, exploitable remotely and leading to account takeover.
CVE-2025-45953 1 Phpgurukul 1 Hostel Management System 2025-04-30 N/A 9.1 CRITICAL
A vulnerability was found in PHPGurukul Hostel Management System 2.1 in the /hostel/change-password.php file of the user panel - Change Password component. Improper handling of session data allows a Session Hijacking attack, exploitable remotely
CVE-2022-30769 1 Zoneminder 1 Zoneminder 2025-04-30 N/A 4.6 MEDIUM
Session fixation exists in ZoneMinder through 1.36.12 as an attacker can poison a session cookie to the next logged-in user.
CVE-2022-43687 1 Concretecms 1 Concrete Cms 2025-04-30 N/A 5.4 MEDIUM
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.
CVE-2022-44007 1 Backclick 1 Backclick 2025-04-29 N/A 8.8 HIGH
An issue was discovered in BACKCLICK Professional 5.9.63. Due to an unsafe implementation of session tracking, it is possible for an attacker to trick users into opening an authenticated user session for a session identifier known to the attacker, aka Session Fixation.