Total
336 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-40916 | 1 Tiny File Manager Project | 1 Tiny File Manager | 2025-07-03 | N/A | 9.8 CRITICAL |
Tiny File Manager v2.4.7 and below is vulnerable to session fixation. | |||||
CVE-2024-57052 | 1 Youdiancms | 1 Youdiancms | 2025-06-27 | N/A | 9.8 CRITICAL |
An issue in youdiancms v.9.5.20 and before allows a remote attacker to escalate privileges via the sessionID parameter in the index.php file. | |||||
CVE-2025-53021 | 2025-06-26 | N/A | 4.2 MEDIUM | ||
A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
CVE-2023-50920 | 1 Gl-inet | 24 Gl-a1300, Gl-a1300 Firmware, Gl-ar300m and 21 more | 2025-06-17 | N/A | 5.5 MEDIUM |
An issue was discovered on GL.iNet devices before version 4.5.0. They assign the same session ID after each user reboot, allowing attackers to share session identifiers between different sessions and bypass authentication or access control measures. Attackers can impersonate legitimate users or perform unauthorized actions. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7. | |||||
CVE-2024-2260 | 1 Zenml | 1 Zenml | 2025-06-12 | N/A | 4.2 MEDIUM |
A session fixation vulnerability exists in the zenml-io/zenml application, where JWT tokens used for user authentication are not invalidated upon logout. This flaw allows an attacker to bypass authentication mechanisms by reusing a victim's JWT token. | |||||
CVE-2018-12071 | 1 Codeigniter | 1 Codeigniter | 2025-06-09 | 7.5 HIGH | 9.8 CRITICAL |
A Session Fixation issue exists in CodeIgniter before 3.1.9 because session.use_strict_mode in the Session Library was mishandled. | |||||
CVE-2024-13967 | 2025-06-04 | N/A | 8.8 HIGH | ||
This vulnerability allows the successful attacker to gain unauthorized access to a configuration web page delivered by the integrated web Server of EIBPORT. This issue affects EIBPORT V3 KNX: through 3.9.8; EIBPORT V3 KNX GSM: through 3.9.8. | |||||
CVE-2023-45718 | 1 Hcltech | 1 Sametime | 2025-06-03 | N/A | 3.9 LOW |
Sametime is impacted by a failure to invalidate sessions. The application is setting sensitive cookie values in a persistent manner in Sametime Web clients. When this happens, cookie values can remain valid even after a user has closed out their session. Â | |||||
CVE-2024-23679 | 1 Enonic | 1 Xp | 2025-05-30 | N/A | 9.8 CRITICAL |
Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of invalidating session attributes. | |||||
CVE-2023-52353 | 1 Arm | 1 Mbed Tls | 2025-05-30 | N/A | 7.5 HIGH |
An issue was discovered in Mbed TLS through 3.5.1. In mbedtls_ssl_session_reset, the maximum negotiable TLS version is mishandled. For example, if the last connection negotiated TLS 1.2, then 1.2 becomes the new maximum. | |||||
CVE-2024-42171 | 1 Hcltech | 1 Dryice Myxalytics | 2025-05-16 | N/A | 6.4 MEDIUM |
HCL MyXalytics is affected by a session fixation vulnerability. Cyber-criminals can exploit this by sending crafted URLs with a session token to access the victim's login session. | |||||
CVE-2024-42170 | 1 Hcltech | 1 Dryice Myxalytics | 2025-05-16 | N/A | 6.8 MEDIUM |
HCL MyXalytics is affected by a session fixation vulnerability. Cyber-criminals can exploit this by sending crafted URLs with a session token to access the victim's login session. | |||||
CVE-2025-46815 | 2025-05-07 | N/A | 8.0 HIGH | ||
The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session. However, prior to versions 3.0.0, 2.71.9, and 2.70.10, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application’s URI to retrieve the id and token, enabling them to authenticate on behalf of the user. It's important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API. Versions 3.0.0, 2.71.9, and 2.70.10 contain a fix for the issue. No known workarounds other than upgrading are available. | |||||
CVE-2022-40293 | 1 Phppointofsale | 1 Php Point Of Sale | 2025-05-06 | N/A | 9.8 CRITICAL |
The application was vulnerable to a session fixation that could be used hijack accounts. | |||||
CVE-2022-31689 | 1 Vmware | 1 Workspace One Assist | 2025-05-01 | N/A | 9.8 CRITICAL |
VMware Workspace ONE Assist prior to 22.10 contains a Session fixation vulnerability. A malicious actor who obtains a valid session token may be able to authenticate to the application using that token. | |||||
CVE-2025-45949 | 1 Phpgurukul | 1 User Registration \& Login And User Management System | 2025-04-30 | N/A | 9.8 CRITICAL |
A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /loginsystem/change-password.php file of the user panel - Change Password component. Improper handling of session data allows a Session Hijacking attack, exploitable remotely and leading to account takeover. | |||||
CVE-2025-45953 | 1 Phpgurukul | 1 Hostel Management System | 2025-04-30 | N/A | 9.1 CRITICAL |
A vulnerability was found in PHPGurukul Hostel Management System 2.1 in the /hostel/change-password.php file of the user panel - Change Password component. Improper handling of session data allows a Session Hijacking attack, exploitable remotely | |||||
CVE-2022-30769 | 1 Zoneminder | 1 Zoneminder | 2025-04-30 | N/A | 4.6 MEDIUM |
Session fixation exists in ZoneMinder through 1.36.12 as an attacker can poison a session cookie to the next logged-in user. | |||||
CVE-2022-43687 | 1 Concretecms | 1 Concrete Cms | 2025-04-30 | N/A | 5.4 MEDIUM |
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | |||||
CVE-2022-44007 | 1 Backclick | 1 Backclick | 2025-04-29 | N/A | 8.8 HIGH |
An issue was discovered in BACKCLICK Professional 5.9.63. Due to an unsafe implementation of session tracking, it is possible for an attacker to trick users into opening an authenticated user session for a session identifier known to the attacker, aka Session Fixation. |