Total
334 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-29368 | 1 Cuppacms | 1 Cuppacms | 2025-04-03 | N/A | 8.8 HIGH |
| Session fixation vulnerability in CuppaCMS thru commit 4c9b742b23b924cf4c1f943f48b278e06a17e297 on November 12, 2019 allows attackers to gain access to arbitrary user sessions. | |||||
| CVE-2001-1534 | 1 Apache | 1 Http Server | 2025-04-03 | 2.1 LOW | N/A |
| mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication. | |||||
| CVE-1999-0428 | 1 Openssl | 1 Openssl | 2025-04-03 | 7.5 HIGH | N/A |
| OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls. | |||||
| CVE-2023-24427 | 1 Jenkins | 1 Bitbucket Oauth | 2025-04-02 | N/A | 9.8 CRITICAL |
| Jenkins Bitbucket OAuth Plugin 0.12 and earlier does not invalidate the previous session on login. | |||||
| CVE-2023-24424 | 1 Jenkins | 1 Openid Connect Authentication | 2025-04-02 | N/A | 8.8 HIGH |
| Jenkins OpenId Connect Authentication Plugin 2.4 and earlier does not invalidate the previous session on login. | |||||
| CVE-2023-24456 | 1 Jenkins | 1 Keycloak Authentication | 2025-04-02 | N/A | 9.8 CRITICAL |
| Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login. | |||||
| CVE-2025-27661 | 1 Printerlogic | 2 Vasion Print, Virtual Appliance | 2025-04-01 | N/A | 9.1 CRITICAL |
| Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Session Fixation OVE-20230524-0004. | |||||
| CVE-2025-29928 | 2025-03-28 | N/A | 8.0 HIGH | ||
| authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik. authentik 2025.2.3 and 2024.12.4 fix this issue. Switching to the cache-based session storage until the authentik instance can be upgraded is recommended. This will however also delete all existing sessions and users will have to re-authenticate. | |||||
| CVE-2023-30307 | 2025-03-27 | N/A | 5.3 MEDIUM | ||
| An issue discovered in TP-LINK TL-R473GP-AC, TP-LINK XDR6020, TP-LINK TL-R479GP-AC, TP-LINK TL-R4239G, TP-LINK TL-WAR1200L, and TP-LINK TL-R476G routers allows attackers to hijack TCP sessions which could lead to a denial of service. | |||||
| CVE-2023-50270 | 1 Apache | 1 Dolphinscheduler | 2025-03-18 | N/A | 6.5 MEDIUM |
| Session Fixation Apache DolphinScheduler before version 3.2.0, which session is still valid after the password change. Users are recommended to upgrade to version 3.2.1, which fixes this issue. | |||||
| CVE-2024-56529 | 2025-03-14 | N/A | 7.1 HIGH | ||
| Mailcow through 2024-11b has a session fixation vulnerability in the web panel. It allows remote attackers to set a session identifier when HSTS is disabled on a victim's browser. After a user logs in, they are authenticated and the session identifier is valid. Then, a remote attacker can access the victim's web panel with the same session identifier. | |||||
| CVE-2024-49344 | 3 Ibm, Linux, Microsoft | 3 Openpages With Watson, Linux Kernel, Windows | 2025-03-11 | N/A | 4.3 MEDIUM |
| IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages with Watson Assistant chat feature enabled the application establishes a session when a user logs in and uses chat, but the chat session is still left active after logout. | |||||
| CVE-2025-26658 | 2025-03-11 | N/A | 6.8 MEDIUM | ||
| The Service Layer in SAP Business One, allows attackers to potentially gain unauthorized access and impersonate other users in the application to perform unauthorized actions. Due to the improper session management, the attackers can elevate themselves to higher privilege and can read, modify and/or write new data. To gain authenticated sessions of other users, the attacker must invest considerable time and effort. This vulnerability has a high impact on the confidentiality and integrity of the application with no effect on the availability of the application. | |||||
| CVE-2021-36394 | 1 Moodle | 1 Moodle | 2025-03-06 | N/A | 9.8 CRITICAL |
| In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin. | |||||
| CVE-2025-1412 | 2025-02-24 | N/A | 3.1 LOW | ||
| Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot. | |||||
| CVE-2022-31888 | 1 Enhancesoft | 1 Osticket | 2025-02-13 | N/A | 8.8 HIGH |
| Session Fixation vulnerability in in function login in class.auth.php in osTicket through 1.16.2. | |||||
| CVE-2022-24895 | 1 Sensiolabs | 1 Symfony | 2025-02-13 | N/A | 6.3 MEDIUM |
| Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. This issue has been fixed in the 4.4 branch. | |||||
| CVE-2023-26260 | 1 Oxidforge | 1 Oxid Eshop | 2025-02-11 | N/A | 5.4 MEDIUM |
| OXID eShop 6.2.x before 6.4.4 and 6.5.x before 6.5.2 allows session hijacking, leading to partial access of a customer's account by an attacker, due to an improper check of the user agent. | |||||
| CVE-2022-40916 | 2025-02-07 | N/A | 9.8 CRITICAL | ||
| Tiny File Manager v2.4.7 and below is vulnerable to session fixation. | |||||
| CVE-2023-2105 | 1 Easyappointments | 1 Easyappointments | 2025-02-06 | N/A | 8.8 HIGH |
| Session Fixation in GitHub repository alextselegidis/easyappointments prior to 1.5.0. | |||||