Total
375 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-28242 | 2025-04-22 | 9.8 Critical | ||
| Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session hijacking attack. | ||||
| CVE-2025-28238 | 2025-04-22 | 9.8 Critical | ||
| Improper session management in Elber REBLE310 Firmware v5.5.1.R , Equipment Model: REBLE310/RX10/4ASI allows attackers to execute a session hijacking attack. | ||||
| CVE-2022-40226 | 1 Siemens | 72 7kg8500-0aa00-0aa0, 7kg8500-0aa00-0aa0 Firmware, 7kg8500-0aa00-2aa0 and 69 more | 2025-04-21 | 7.5 High |
| A vulnerability has been identified in SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P850 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10), SICAM P855 (All versions < V3.10). Affected devices accept user defined session cookies and do not renew the session cookie after login/logout. This could allow an attacker to take over another user's session after login. | ||||
| CVE-2017-5141 | 1 Honeywell | 1 Xl Web Ii Controller | 2025-04-20 | N/A |
| An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior. An attacker can establish a new user session, without invalidating any existing session identifier, which gives the opportunity to steal authenticated sessions (SESSION FIXATION). | ||||
| CVE-2017-12965 | 1 Apache2triad | 1 Apache2triad | 2025-04-20 | N/A |
| Session fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID parameter. | ||||
| CVE-2016-9125 | 1 Revive-adserver | 1 Revive Adserver | 2025-04-20 | N/A |
| Revive Adserver before 3.2.3 suffers from session fixation, by allowing arbitrary session identifiers to be forced and, at the same time, by not invalidating the existing session upon a successful authentication. Under some circumstances, that could have been an opportunity for an attacker to steal an authenticated session. | ||||
| CVE-2017-4014 | 1 Mcafee | 1 Network Data Loss Prevention | 2025-04-20 | N/A |
| Session Side jacking vulnerability in the server in McAfee Network Data Loss Prevention (NDLP) 9.3.x allows remote authenticated users to view, add, and remove users via modification of the HTTP request. | ||||
| CVE-2017-6412 | 1 Sophos | 1 Web Appliance | 2025-04-20 | N/A |
| In Sophos Web Appliance (SWA) before 4.3.1.2, Session Fixation could occur, aka NSWA-1310. | ||||
| CVE-2017-1000150 | 1 Mahara | 1 Mahara | 2025-04-20 | N/A |
| Mahara 15.04 before 15.04.7 and 15.10 before 15.10.3 are vulnerable to prevent session IDs from being regenerated on login or logout. This makes users of the site more vulnerable to session fixation attacks. | ||||
| CVE-2017-11191 | 1 Freeipa | 1 Freeipa | 2025-04-20 | N/A |
| FreeIPA 4.x with API version 2.213 allows a remote authenticated users to bypass intended account-locking restrictions via an unlock action with an old session ID (for the same user account) that had been created for an earlier session. NOTE: Vendor states that issue does not exist in product and does not recognize this report as a valid security concern | ||||
| CVE-2017-10890 | 1 Sharp | 10 Rx-clv1-p, Rx-clv1-p Firmware, Rx-clv2-b and 7 more | 2025-04-20 | N/A |
| Session management issue in RX-V200 firmware versions prior to 09.87.17.09, RX-V100 firmware versions prior to 03.29.17.09, RX-CLV1-P firmware versions prior to 79.17.17.09, RX-CLV2-B firmware versions prior to 89.07.17.09, RX-CLV3-N firmware versions prior to 91.09.17.10 allows an attacker on the same LAN to perform arbitrary operations or access information via unspecified vectors. | ||||
| CVE-2017-12868 | 2 Php, Simplesamlphp | 2 Php, Simplesamlphp | 2025-04-20 | N/A |
| The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation. | ||||
| CVE-2017-5831 | 1 Revive-adserver | 1 Revive Adserver | 2025-04-20 | N/A |
| Session fixation vulnerability in the forgot password mechanism in Revive Adserver before 4.0.1, when setting a new password, allows remote attackers to hijack web sessions via the session ID. | ||||
| CVE-2017-5656 | 2 Apache, Redhat | 4 Cxf, Jboss Amq, Jboss Fuse and 1 more | 2025-04-20 | N/A |
| Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user. | ||||
| CVE-2015-4594 | 1 Eclinicalworks | 1 Population Health | 2025-04-20 | N/A |
| eClinicalWorks Population Health (CCMR) suffers from a session fixation vulnerability. When authenticating a user, the application does not assign a new session ID, making it possible to use an existent session ID. | ||||
| CVE-2017-4963 | 1 Pivotal Software | 3 Cloud Foundry Cf-release, Cloud Foundry Uaa, Cloud Foundry Uaa-release | 2025-04-20 | N/A |
| An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 & v3.0.0 - v3.11.0, and UAA bosh release v26 & earlier versions. UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers. | ||||
| CVE-2017-11562 | 1 Mt4 | 1 Senhasegura | 2025-04-20 | N/A |
| A Session Fixation Vulnerability exists in the MT4 Networks SenhaSegura Web Application 2.2.23.8 via login_if.php. | ||||
| CVE-2015-1174 | 1 Unit4 | 1 Teta Web | 2025-04-20 | N/A |
| Session fixation vulnerability in Unit4 Polska TETA Web (formerly TETA Galactica) 22.62.3.4 and earlier allows remote attackers to hijack web sessions via a session id. | ||||
| CVE-2017-12873 | 2 Debian, Simplesamlphp | 2 Debian Linux, Simplesamlphp | 2025-04-20 | N/A |
| SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured. | ||||
| CVE-2017-1270 | 1 Ibm | 1 Security Guardium | 2025-04-20 | N/A |
| IBM Security Guardium 10.0 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability. This could force a user to utilize a cookie that may be known to an attacker. IBM X-Force ID: 124745. | ||||