Total
334 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-42171 | 1 Hcltech | 1 Dryice Myxalytics | 2025-05-16 | N/A | 6.4 MEDIUM |
| HCL MyXalytics is affected by a session fixation vulnerability. Cyber-criminals can exploit this by sending crafted URLs with a session token to access the victim's login session. | |||||
| CVE-2024-42170 | 1 Hcltech | 1 Dryice Myxalytics | 2025-05-16 | N/A | 6.8 MEDIUM |
| HCL MyXalytics is affected by a session fixation vulnerability. Cyber-criminals can exploit this by sending crafted URLs with a session token to access the victim's login session. | |||||
| CVE-2025-46815 | 2025-05-07 | N/A | 8.0 HIGH | ||
| The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session. However, prior to versions 3.0.0, 2.71.9, and 2.70.10, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application’s URI to retrieve the id and token, enabling them to authenticate on behalf of the user. It's important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API. Versions 3.0.0, 2.71.9, and 2.70.10 contain a fix for the issue. No known workarounds other than upgrading are available. | |||||
| CVE-2022-40293 | 1 Phppointofsale | 1 Php Point Of Sale | 2025-05-06 | N/A | 9.8 CRITICAL |
| The application was vulnerable to a session fixation that could be used hijack accounts. | |||||
| CVE-2022-31689 | 1 Vmware | 1 Workspace One Assist | 2025-05-01 | N/A | 9.8 CRITICAL |
| VMware Workspace ONE Assist prior to 22.10 contains a Session fixation vulnerability. A malicious actor who obtains a valid session token may be able to authenticate to the application using that token. | |||||
| CVE-2025-45949 | 1 Phpgurukul | 1 User Registration \& Login And User Management System | 2025-04-30 | N/A | 9.8 CRITICAL |
| A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /loginsystem/change-password.php file of the user panel - Change Password component. Improper handling of session data allows a Session Hijacking attack, exploitable remotely and leading to account takeover. | |||||
| CVE-2025-45953 | 1 Phpgurukul | 1 Hostel Management System | 2025-04-30 | N/A | 9.1 CRITICAL |
| A vulnerability was found in PHPGurukul Hostel Management System 2.1 in the /hostel/change-password.php file of the user panel - Change Password component. Improper handling of session data allows a Session Hijacking attack, exploitable remotely | |||||
| CVE-2022-30769 | 1 Zoneminder | 1 Zoneminder | 2025-04-30 | N/A | 4.6 MEDIUM |
| Session fixation exists in ZoneMinder through 1.36.12 as an attacker can poison a session cookie to the next logged-in user. | |||||
| CVE-2022-43687 | 1 Concretecms | 1 Concrete Cms | 2025-04-30 | N/A | 5.4 MEDIUM |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | |||||
| CVE-2022-44007 | 1 Backclick | 1 Backclick | 2025-04-29 | N/A | 8.8 HIGH |
| An issue was discovered in BACKCLICK Professional 5.9.63. Due to an unsafe implementation of session tracking, it is possible for an attacker to trick users into opening an authenticated user session for a session identifier known to the attacker, aka Session Fixation. | |||||
| CVE-2022-44788 | 1 Maggioli | 1 Appalti \& Contratti | 2025-04-29 | N/A | 6.5 MEDIUM |
| An issue was discovered in Appalti & Contratti 9.12.2. It allows Session Fixation. When a user logs in providing a JSESSIONID cookie that is issued by the server at the first visit, the cookie value is not updated after a successful login. | |||||
| CVE-2025-42602 | 2025-04-23 | N/A | N/A | ||
| This vulnerability exists in Meon KYC solutions due to improper handling of access and refresh tokens in certain API endpoints of authentication process. A remote attacker could exploit this vulnerability by intercepting and manipulating the responses through API request body leading to unauthorized access of other user accounts. | |||||
| CVE-2022-38628 | 1 Niceforyou | 2 Linear Emerge E3 Access Control, Linear Emerge E3 Access Control Firmware | 2025-04-22 | N/A | 6.1 MEDIUM |
| Nortek Linear eMerge E3-Series 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e were discovered to contain a cross-site scripting (XSS) vulnerability which is chained with a local session fixation. This vulnerability allows attackers to escalate privileges via unspecified vectors. | |||||
| CVE-2025-28242 | 2025-04-22 | N/A | 9.8 CRITICAL | ||
| Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session hijacking attack. | |||||
| CVE-2025-28238 | 2025-04-22 | N/A | 9.8 CRITICAL | ||
| Improper session management in Elber REBLE310 Firmware v5.5.1.R , Equipment Model: REBLE310/RX10/4ASI allows attackers to execute a session hijacking attack. | |||||
| CVE-2017-10600 | 1 Canonical | 1 Ubuntu-image | 2025-04-20 | 4.6 MEDIUM | 5.9 MEDIUM |
| ubuntu-image 1.0 before 2017-07-07, when invoked as non-root, creates files in the resulting image with the uid of the invoking user. When the resulting image is booted, a local attacker with the same uid as the image creator has unintended access to cloud-init and snapd directories. | |||||
| CVE-2017-1152 | 1 Ibm | 1 Financial Transaction Manager | 2025-04-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM Financial Transaction Manager 3.0.1 and 3.0.2 does not properly update the SESSIONID with each request, which could allow a user to obtain the ID in further attacks against the system. IBM X-Force ID: 122293. | |||||
| CVE-2015-1820 | 1 Rest-client Project | 1 Rest-client | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| REST client for Ruby (aka rest-client) before 1.8.0 allows remote attackers to conduct session fixation attacks or obtain sensitive cookie information by leveraging passage of cookies set in a response to a redirect. | |||||
| CVE-2017-11562 | 1 Mt4 | 1 Senhasegura | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| A Session Fixation Vulnerability exists in the MT4 Networks SenhaSegura Web Application 2.2.23.8 via login_if.php. | |||||
| CVE-2016-6043 | 1 Ibm | 1 Tivoli Storage Manager | 2025-04-20 | 4.4 MEDIUM | 7.0 HIGH |
| Tivoli Storage Manager Operations Center could allow a local user to take over a previously logged in user due to session expiration not being enforced. | |||||