Total
334 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-42207 | 2025-02-05 | N/A | 5.5 MEDIUM | ||
| HCL iAutomate is affected by a session fixation vulnerability. An attacker could hijack a victim's session ID from their authenticated session. | |||||
| CVE-2025-24503 | 2025-02-05 | N/A | N/A | ||
| A malicious actor can fix the session of a PAM user by tricking the user to click on a specially crafted link to the PAM server. | |||||
| CVE-2025-24502 | 2025-02-05 | N/A | N/A | ||
| An improper session validation allows an unauthenticated attacker to cause certain request notifications to be executed in the context of an incorrect user by spoofing the client IP address. | |||||
| CVE-2024-0157 | 1 Dell | 2 Storage Monitoring And Reporting, Storage Resource Manager | 2025-02-04 | N/A | 5.9 MEDIUM |
| Dell Storage Resource Manager, 4.9.0.0 and below, contain(s) a Session Fixation Vulnerability in SRM Windows Host Agent. An adjacent network unauthenticated attacker could potentially exploit this vulnerability, leading to the hijack of a targeted user's application session. | |||||
| CVE-2025-22216 | 2025-01-31 | N/A | 5.4 MEDIUM | ||
| A UAA configured with multiple identity zones, does not properly validate session information across those zones. A User authenticated against a corporate IDP can re-use their jsessionid to access other zones. | |||||
| CVE-2023-28316 | 1 Rocket.chat | 1 Rocket.chat | 2025-01-28 | N/A | 9.8 CRITICAL |
| A security vulnerability has been discovered in the implementation of 2FA on the rocket.chat platform, where other active sessions are not invalidated upon activating 2FA. This could potentially allow an attacker to maintain access to a compromised account even after 2FA is enabled. | |||||
| CVE-2024-57052 | 2025-01-28 | N/A | 9.8 CRITICAL | ||
| An issue in youdiancms v.9.5.20 and before allows a remote attacker to escalate privileges via the sessionID parameter in the index.php file. | |||||
| CVE-2023-30056 | 1 Fico | 1 Origination Manager Decision | 2025-01-28 | N/A | 7.5 HIGH |
| A session takeover vulnerability exists in FICO Origination Manager Decision Module 4.8.1 due to insufficient protection of the JSESSIONID cookie. | |||||
| CVE-2023-31498 | 1 Phpgurukul | 1 Hospital Management System | 2025-01-27 | N/A | 9.8 CRITICAL |
| A privilege escalation issue was found in PHP Gurukul Hospital Management System In v.4.0 allows a remote attacker to execute arbitrary code and access sensitive information via the session token parameter. | |||||
| CVE-2023-32997 | 1 Jenkins | 1 Cas | 2025-01-23 | N/A | 8.8 HIGH |
| Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the previous session on login. | |||||
| CVE-2024-50339 | 1 Glpi-project | 1 Glpi | 2025-01-10 | N/A | 5.3 MEDIUM |
| GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue. | |||||
| CVE-2024-13279 | 2025-01-10 | N/A | 9.8 CRITICAL | ||
| Session Fixation vulnerability in Drupal Two-factor Authentication (TFA) allows Session Fixation.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.8.0. | |||||
| CVE-2024-30262 | 1 Contao | 1 Contao | 2025-01-09 | N/A | 5.9 MEDIUM |
| Contao is an open source content management system. Prior to version 4.13.40, when a frontend member changes their password in the personal data or the password lost module, the corresponding remember-me tokens are not removed. If someone compromises an account and is able to get a remember-me token, changing the password would not be enough to reclaim control over the account. Version 4.13.40 contains a fix for the issue. As a workaround, disable "Allow auto login" in the login module. | |||||
| CVE-2024-28197 | 1 Zitadel | 1 Zitadel | 2025-01-07 | N/A | 7.5 HIGH |
| Zitadel is an open source identity management system. Zitadel uses a cookie to identify the user agent (browser) and its user sessions. Although the cookie was handled according to best practices, it was accessible on subdomains of the ZITADEL instance. An attacker could take advantage of this and provide a malicious link hosted on the subdomain to the user to gain access to the victim’s account in certain scenarios. A possible victim would need to login through the malicious link for this exploit to work. If the possible victim already had the cookie present, the attack would not succeed. The attack would further only be possible if there was an initial vulnerability on the subdomain. This could either be the attacker being able to control DNS or a XSS vulnerability in an application hosted on a subdomain. Versions 2.46.0, 2.45.1, and 2.44.3 have been patched. Zitadel recommends upgrading to the latest versions available in due course. Note that applying the patch will invalidate the current cookie and thus users will need to start a new session and existing sessions (user selection) will be empty. For self-hosted environments unable to upgrade to a patched version, prevent setting the following cookie name on subdomains of your Zitadel instance (e.g. within your WAF): `__Secure-zitadel-useragent`. | |||||
| CVE-2024-56733 | 2024-12-30 | N/A | 5.7 MEDIUM | ||
| Password Pusher is an open source application to communicate sensitive information over the web. A vulnerability has been reported in versions 1.50.3 and prior where an attacker can copy the session cookie before a user logs out, potentially allowing session hijacking. Although the session token is replaced and invalidated upon logout, if an attacker manages to capture the session cookie before this process, they can use the token to gain unauthorized access to the user's session until the token expires or is manually cleared. This vulnerability hinges on the attacker's ability to access the session cookie during an active session, either through a man-in-the-middle attack, by exploiting another vulnerability like XSS, or via direct access to the victim's device. Although there is no direct resolution to this vulnerability, it is recommended to always use the latest version of Password Pusher to best mitigate risk. If self-hosting, ensure Password Pusher is hosted exclusively over SSL connections to encrypt traffic and prevent session cookies from being intercepted in transit. Additionally, implement best practices in local security to safeguard user systems, browsers, and data against unauthorized access. | |||||
| CVE-2023-34156 | 1 Huawei | 1 Emui | 2024-12-17 | N/A | 5.3 MEDIUM |
| Vulnerability of services denied by early fingerprint APIs on HarmonyOS products.Successful exploitation of this vulnerability may cause services to be denied. | |||||
| CVE-2024-28144 | 2024-12-13 | N/A | 5.5 MEDIUM | ||
| An attacker who can spoof the IP address and the User-Agent of a logged-in user can takeover the session because of flaws in the self-developed session management. If two users access the web interface from the same IP they are logged in as the other user. | |||||
| CVE-2023-50176 | 1 Fortinet | 1 Fortios | 2024-12-12 | N/A | 7.5 HIGH |
| A session fixation in Fortinet FortiOS version 7.4.0 through 7.4.3 and 7.2.0 through 7.2.7 and 7.0.0 through 7.0.13 allows attacker to execute unauthorized code or commands via phishing SAML authentication link. | |||||
| CVE-2023-34656 | 1 Video Management System Project | 1 Video Management System | 2024-11-27 | N/A | 8.8 HIGH |
| An issue was discovered with the JSESSION IDs in Xiamen Si Xin Communication Technology Video management system 3.1 thru 4.1 allows attackers to gain escalated privileges. | |||||
| CVE-2024-25977 | 2024-11-21 | N/A | 7.3 HIGH | ||
| The application does not change the session token when using the login or logout functionality. An attacker can set a session token in the victim's browser (e.g. via XSS) and prompt the victim to log in (e.g. via a redirect to the login page). This results in the victim's account being taken over. | |||||