Total
382 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-4439 | 1 Ibm | 1 Cloud Private | 2024-11-21 | 4.6 MEDIUM | 5.3 MEDIUM |
|
IBM Cloud Private 3.1.0, 3.1.1, and 3.1.2 does not invalidate session after logout which could allow a local user to impersonate another user on the system. IBM X-Force ID: 162949.
|
|||||
| CVE-2019-4304 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
|
IBM WebSphere Application Server - Liberty could allow a remote attacker to bypass security restrictions caused by improper session validation. IBM X-Force ID: 160950.
|
|||||
| CVE-2019-4227 | 1 Ibm | 1 Mq | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
|
IBM MQ 8.0.0.4 - 8.0.0.12, 9.0.0.0 - 9.0.0.6, 9.1.0.0 - 9.1.0.2, and 9.1.0 - 9.1.2 AMQP Listeners could allow an unauthorized user to conduct a session fixation attack due to clients not being disconnected as they should. IBM X-Force ID: 159352.
|
|||||
| CVE-2019-4152 | 1 Ibm | 1 Security Access Manager | 2024-11-21 | 3.6 LOW | 4.4 MEDIUM |
|
IBM Security Access Manager 9.0.1 through 9.0.6 does not invalidate session tokens in a timely manner. The lack of proper session expiration may allow attackers with local access to login into a closed browser session. IBM X-Force ID: 158515.
|
|||||
| CVE-2019-3784 | 1 Cloudfoundry | 1 Stratos | 2024-11-21 | 4.0 MEDIUM | 8.2 HIGH |
|
Cloud Foundry Stratos, versions prior to 2.3.0, contains an insecure session that can be spoofed. When deployed on cloud foundry with multiple instances using the default embedded SQLite database, a remote authenticated malicious user can switch sessions to another user with the same session id.
|
|||||
| CVE-2019-3783 | 1 Cloudfoundry | 1 Stratos | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
|
Cloud Foundry Stratos, versions prior to 2.3.0, deploys with a public default session store secret. A malicious user with default session store secret can brute force another user's current Stratos session, and act on behalf of that user.
|
|||||
| CVE-2019-1807 | 1 Cisco | 1 Umbrella | 2024-11-21 | 6.8 MEDIUM | 7.6 HIGH |
|
A vulnerability in the session management functionality of the web UI for the Cisco Umbrella Dashboard could allow an authenticated, remote attacker to access the Dashboard via an active, user session. The vulnerability exists due to the affected application not invalidating an existing session when a user authenticates to the application and changes the users credentials via another authenticated session. An attacker could exploit this vulnerability by using a separate, authenticated, active se ...
Show More |
|||||
| CVE-2019-19610 | 1 Halvotec | 1 Raquest | 2024-11-21 | 5.8 MEDIUM | 5.4 MEDIUM |
|
An issue was discovered in Halvotec RaQuest 10.23.10801.0. It allows session fixation. Fixed in Release 24.2020.20608.0.
|
|||||
| CVE-2019-18946 | 1 Microfocus | 1 Solutions Business Manager | 2024-11-21 | 3.8 LOW | 4.8 MEDIUM |
|
Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to session fixation.
|
|||||
| CVE-2019-18573 | 1 Dell | 1 Rsa Identity Governance And Lifecycle | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The RSA Identity Governance and Lifecycle and RSA Via Lifecycle and Governance products prior to 7.1.1 P03 contain a Session Fixation vulnerability. An authenticated malicious local user could potentially exploit this vulnerability as the session token is exposed as part of the URL. A remote attacker can gain access to victim’s session and perform arbitrary actions with privileges of the user within the compromised session.
|
|||||
| CVE-2019-18418 | 1 Clonos | 1 Clonos | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests because there is no session management.
|
|||||
| CVE-2019-17563 | 5 Apache, Canonical, Debian and 2 more | 11 Tomcat, Ubuntu Linux, Debian Linux and 8 more | 2024-11-21 | 5.1 MEDIUM | 7.5 HIGH |
|
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.
|
|||||
| CVE-2019-17062 | 1 Oxid-esales | 1 Eshop | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An issue was discovered in OXID eShop 6.x before 6.0.6 and 6.1.x before 6.1.5, OXID eShop Enterprise Edition Version 5.2.x-5.3.x, OXID eShop Professional Edition Version 4.9.x-4.10.x and OXID eShop Community Edition Version: 4.9.x-4.10.x. By using a specially crafted URL, users with administrative rights could unintentionally grant unauthorized users access to the admin panel via session fixation.
|
|||||
| CVE-2019-15849 | 1 Eq-3 | 2 Homematic Ccu3, Homematic Ccu3 Firmware | 2024-11-21 | 4.9 MEDIUM | 7.3 HIGH |
|
eQ-3 HomeMatic CCU3 firmware 3.41.11 allows session fixation. An attacker can create session IDs and send them to the victim. After the victim logs in to the session, the attacker can use that session. The attacker could create SSH logins after a valid session and easily compromise the system.
|
|||||
| CVE-2019-15612 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | 3.2 LOW | 5.9 MEDIUM |
|
A bug in Nextcloud Server 15.0.2 causes pending 2FA logins to not be correctly expired when the password of the user is reset.
|
|||||
| CVE-2019-13517 | 1 Bd | 2 Pyxis Enterprise Server, Pyxis Es | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
In Pyxis ES Versions 1.3.4 through to 1.6.1 and Pyxis Enterprise Server, with Windows Server Versions 4.4 through 4.12, a vulnerability has been identified where existing access privileges are not restricted in coordination with the expiration of access based on active directory user account changes when the device is joined to an AD domain.
|
|||||
| CVE-2019-12258 | 5 Belden, Netapp, Siemens and 2 more | 50 Garrettcom Magnum Dx940e, Garrettcom Magnum Dx940e Firmware, Hirschmann Dragon Mach4000 and 47 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Wind River VxWorks 6.6 through vx7 has Session Fixation in the TCP component. This is a IPNET security vulnerability: DoS of TCP connection via malformed TCP options.
|
|||||
| CVE-2019-12203 | 1 Silverstripe | 1 Silverstripe | 2024-11-21 | 3.7 LOW | 6.3 MEDIUM |
|
SilverStripe through 4.3.3 allows session fixation in the "change password" form.
|
|||||
| CVE-2019-11213 | 2 Ivanti, Pulsesecure | 3 Connect Secure, Pulse Connect Secure, Pulse Secure Desktop Client | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
|
In Pulse Secure Pulse Desktop Client and Network Connect, an attacker could access session tokens to replay and spoof sessions, and as a result, gain unauthorized access as an end user, a related issue to CVE-2019-1573. (The endpoint would need to be already compromised for exploitation to succeed.) This affects Pulse Desktop Client 5.x before Secure Desktop 5.3R7 and Pulse Desktop Client 9.x before Secure Desktop 9.0R3. It also affects (for Network Connect customers) Pulse Connect Secure 8.1 be ...
Show More |
|||||
| CVE-2019-10371 | 1 Jenkins | 1 Gitlab Oauth | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A session fixation vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows unauthorized attackers to impersonate another user if they can control the pre-authentication session.
|
|||||
| CVE-2019-10158 | 2 Infinispan, Redhat | 2 Infinispan, Jboss Data Grid | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling.
|
|||||
| CVE-2019-10120 | 1 Eq-3 | 4 Ccu2, Ccu2 Firmware, Ccu3 and 1 more | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
On eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.16, automatic login configuration (aka setAutoLogin) can be achieved by continuing to use a session ID after a logout, aka HMCCU-154.
|
|||||
| CVE-2019-10084 | 1 Apache | 1 Impala | 2024-11-21 | 4.6 MEDIUM | 7.5 HIGH |
|
In Apache Impala 2.7.0 to 3.2.0, an authenticated user with access to the IDs of active Impala queries or sessions can interact with those sessions or queries via a specially-constructed request and thereby potentially bypass authorization and audit mechanisms. Session and query IDs are unique and random, but have not been documented or consistently treated as sensitive secrets. Therefore they may be exposed in logs or interfaces. They were also not generated with a cryptographically secure rand ...
Show More |
|||||
| CVE-2019-10045 | 1 Pydio | 1 Pydio | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
|
The "action" get_sess_id in the web application of Pydio through 8.2.2 discloses the session cookie value in the response body, enabling scripts to get access to its value. This identifier can be reused by an attacker to impersonate a user and perform actions on behalf of him/her (if the session is still active).
|
|||||
| CVE-2019-10008 | 1 Zohocorp | 1 Servicedesk Plus | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the guest user enters the administrator username, with an arbitrary incorrect password, in an mc/ login attempt within a different browser tab.
|
|||||
| CVE-2019-1003019 | 1 Jenkins | 1 Github Oauth | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
|
An session fixation vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm.java that allows unauthorized attackers to impersonate another user if they can control the pre-authentication session.
|
|||||
| CVE-2019-0102 | 1 Intel | 1 Data Center Manager | 2024-11-21 | 5.8 MEDIUM | 8.8 HIGH |
|
Insufficient session authentication in web server for Intel(R) Data Center Manager SDK before version 5.0.2 may allow an unauthenticated user to potentially enable escalation of privilege via network access.
|
|||||
| CVE-2019-0062 | 1 Juniper | 46 Csrx, Ex2200, Ex2200-c and 43 more | 2024-11-21 | 6.8 MEDIUM | 7.5 HIGH |
|
A session fixation vulnerability in J-Web on Junos OS may allow an attacker to use social engineering techniques to fix and hijack a J-Web administrators web session and potentially gain administrative access to the device. This issue affects: Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S15 on EX Series; 12.3X48 versions prior to 12.3X48-D85 on SRX Series; 14.1X53 versions prior to 14.1X53-D51; 15.1 versions prior to 15.1F6-S13, 15.1R7-S5; 15.1X49 versions prior to 15.1X49-D180 on S ...
Show More |
|||||
| CVE-2018-9082 | 1 Lenovo | 40 Ez Media \& Backup Center, Ez Media \& Backup Center Firmware, Ix2 and 37 more | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
|
For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the password changing functionality available to authenticated users does not require the user's current password to set a new one. As a result, attackers with access to the user's session tokens can change their password and retain access to the user's account
|
|||||
| CVE-2018-9026 | 1 Broadcom | 1 Privileged Access Manager | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A session fixation vulnerability in CA Privileged Access Manager 2.x allows remote attackers to hijack user sessions with a specially crafted request.
|
|||||
| CVE-2018-8852 | 1 Philips | 1 E-alert Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Philips e-Alert Unit (non-medical device), Version R2.1 and prior. When authenticating a user or otherwise establishing a new user session, the software gives an attacker the opportunity to steal authenticated sessions without invalidating any existing session identifier.
|
|||||
| CVE-2018-6959 | 1 Vmware | 1 Vrealize Automation | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
VMware vRealize Automation (vRA) prior to 7.4.0 contains a vulnerability in the handling of session IDs. Exploitation of this issue may lead to the hijacking of a valid vRA user's session.
|
|||||
| CVE-2018-6434 | 1 Broadcom | 1 Fabric Operating System | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A vulnerability in the web management interface of Brocade Fabric OS versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow attackers to intercept or manipulate a user's session ID.
|
|||||
| CVE-2018-5465 | 1 Belden | 134 Hirschmann M1-8mm-sc, Hirschmann M1-8sfp, Hirschmann M1-8sm-sc and 131 more | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A Session Fixation issue was discovered in Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic Platform Switches. A session fixation vulnerability in the web interface has been identified, which may allow an attacker to hijack web sessions.
|
|||||
| CVE-2018-5385 | 1 Navarino | 1 Infinity | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Navarino Infinity is prone to session fixation attacks. The server accepts the session ID as a GET parameter which can lead to bypassing the two factor authentication in some installations. This could lead to phishing attacks that can bypass the two factor authentication that is present in some installations.
|
|||||
| CVE-2018-2409 | 1 Sap | 1 Cloud Platform | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
|
Improper session management when using SAP Cloud Platform 2.0 (Connectivity Service and Cloud Connector). Under certain conditions, data of some other user may be shown or modified when using an application built on top of SAP Cloud Platform.
|
|||||
| CVE-2018-2408 | 1 Sap | 1 Businessobjects | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
|
Improper Session Management in SAP Business Objects, 4.0, from 4.10, from 4.20, 4.30, CMC/BI Launchpad/Fiorified BI Launchpad. In case of password change for a user, all other active sessions created using older password continues to be active.
|
|||||
| CVE-2018-20238 | 1 Atlassian | 1 Crowd | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
|
Various rest resources in Atlassian Crowd before version 3.2.7 and from version 3.3.0 before version 3.3.4 allow remote attackers to authenticate using an expired user session via an insufficient session expiration vulnerability.
|
|||||
| CVE-2018-1962 | 1 Ibm | 1 Security Identity Manager | 2024-11-21 | 2.1 LOW | 4.0 MEDIUM |
|
IBM Security Identity Manager 7.0.1 Virtual Appliance does not invalidate session tokens when the logout button is pressed. The lack of proper session termination may allow attackers with local access to login into a closed browser session. IBM X-Force ID: 153658.
|
|||||
| CVE-2018-1948 | 1 Ibm | 1 Security Identity Governance And Intelligence | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
IBM Security Identity Governance and Intelligence 5.2 through 5.2.4.1 Virtual Appliance does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 153428.
|
|||||