VYPR

CWE-384

Session Fixation

CompoundIncomplete

Description

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-196 · CAPEC-21 · CAPEC-31 · CAPEC-39 · CAPEC-59 · CAPEC-60 · CAPEC-61

CVEs mapped to this weakness (205)

page 1 of 11
  • CVE-2017-12965CriAug 23, 2017
    risk 0.68cvss 9.8epss 0.16

    Session fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID parameter.

  • CVE-2018-11714CriJun 4, 2018
    risk 0.67cvss 9.8epss 0.37

    An issue was discovered on TP-Link TL-WR840N v5 00000005 0.9.1 3.16 v0001.0 Build 170608 Rel.58696n and TL-WR841N v13 00000013 0.9.1 4.16 v0001.0 Build 170622 Rel.64334n devices. This issue is caused by improper session handling on the /cgi/ folder or a /cgi file. If an attacker…

  • CVE-2015-4594CriJan 10, 2017
    risk 0.67cvss 9.8epss 0.06

    eClinicalWorks Population Health (CCMR) suffers from a session fixation vulnerability. When authenticating a user, the application does not assign a new session ID, making it possible to use an existent session ID.

  • CVE-2025-67446CriJun 4, 2026
    risk 0.64cvss 9.8epss 0.00

    Improper Authentication (Authentication Bypass) exists in Neterbit NW-431F Router 20241014-IR03 and before. The router uses a weak/predictable cookie value for authentication. By modifying the cookie value (e.g., setting it to "admin"), an attacker can bypass the authentication…

  • CVE-2026-24352CriFeb 27, 2026
    risk 0.64cvss 9.8epss 0.00

    PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was…

  • CVE-2025-52689CriJul 16, 2025
    risk 0.64cvss 9.8epss 0.11

    Successful exploitation of the vulnerability could allow an unauthenticated attacker to obtain a valid session ID with administrator privileges by spoofing the login request, potentially allowing the attacker to modify the behaviour of the access point.

  • CVE-2025-28242CriApr 18, 2025
    risk 0.64cvss 9.8epss 0.02

    Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session hijacking attack.

  • CVE-2025-28238CriApr 18, 2025
    risk 0.64cvss 9.8epss 0.00

    Improper session management in Elber REBLE310 Firmware v5.5.1.R , Equipment Model: REBLE310/RX10/4ASI allows attackers to execute a session hijacking attack.

  • CVE-2024-8643CriSep 27, 2024
    risk 0.64cvss 9.8epss 0.00

    Session Fixation vulnerability in Oceanic Software ValeApp allows Brute Force, Session Hijacking. This issue affects ValeApp: before v2.0.0.

  • CVE-2016-6545CriJul 13, 2018
    risk 0.64cvss 9.8epss 0.03

    Session cookies are not used for maintaining valid sessions in iTrack Easy. The user's password is passed as a POST parameter over HTTPS using a base64 encoded passwd field on every request. In this implementation, sessions can only be terminated when the user changes the…

  • CVE-2018-6959CriApr 13, 2018
    risk 0.64cvss 9.8epss 0.02

    VMware vRealize Automation (vRA) prior to 7.4.0 contains a vulnerability in the handling of session IDs. Exploitation of this issue may lead to the hijacking of a valid vRA user's session.

  • CVE-2017-15304CriOct 15, 2017
    risk 0.64cvss 9.8epss 0.01

    /bin/login.php in the Web Panel on the Airtame HDMI dongle with firmware before 3.0 allows an attacker to set his own session id via a "Cookie: PHPSESSID=" header. This can be used to achieve persistent access to the admin panel even after an admin password change.

  • CVE-2016-10405CriSep 7, 2017
    risk 0.64cvss 9.8epss 0.02

    Session fixation vulnerability in D-Link DIR-600L routers (rev. Ax) with firmware before FW1.17.B01 allows remote attackers to hijack web sessions via unspecified vectors.

  • CVE-2015-1820CriAug 9, 2017
    risk 0.64cvss 9.8epss 0.04

    REST client for Ruby (aka rest-client) before 1.8.0 allows remote attackers to conduct session fixation attacks or obtain sensitive cookie information by leveraging passage of cookies set in a response to a redirect.

  • CVE-2015-1174CriAug 2, 2017
    risk 0.64cvss 9.8epss 0.03

    Session fixation vulnerability in Unit4 Polska TETA Web (formerly TETA Galactica) 22.62.3.4 and earlier allows remote attackers to hijack web sessions via a session id.

  • CVE-2016-9125CriMar 28, 2017
    risk 0.64cvss 9.8epss 0.03

    Revive Adserver before 3.2.3 suffers from session fixation, by allowing arbitrary session identifiers to be forced and, at the same time, by not invalidating the existing session upon a successful authentication. Under some circumstances, that could have been an opportunity for…

  • CVE-2025-24503CriJan 30, 2025
    risk 0.60cvss epss 0.00

    A malicious actor can fix the session of a PAM user by tricking the user to click on a specially crafted link to the PAM server.

  • CVE-2026-40010CriMay 6, 2026
    risk 0.59cvss 9.1epss 0.00

    Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended…

  • CVE-2023-52268CriNov 12, 2024
    risk 0.59cvss 9.1epss 0.01

    The End-User Portal module before 1.0.65 for FreeScout sometimes allows an attacker to authenticate as an arbitrary user because a session token can be sent to the /auth endpoint. NOTE: this module is not part of freescout-helpdesk/freescout on GitHub.

  • CVE-2018-5385HigJul 24, 2018
    risk 0.58cvss 8.8epss 0.04

    Navarino Infinity is prone to session fixation attacks. The server accepts the session ID as a GET parameter which can lead to bypassing the two factor authentication in some installations. This could lead to phishing attacks that can bypass the two factor authentication that is…