CWE-384

Session Fixation

CompoundIncomplete

Description

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Hierarchy (View 1000)

Parents

CWE-610

Children

none

Related attack patterns (CAPEC)

CAPEC-196 · CAPEC-21 · CAPEC-31 · CAPEC-39 · CAPEC-59 · CAPEC-60 · CAPEC-61

CVEs mapped to this weakness (79)

page 1 of 4

CVE	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2017-12965	Cri	0.68	9.8	0.22	Aug 23, 2017	Session fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID parameter.
CVE-2015-4594	Cri	0.68	9.8	0.12	Jan 10, 2017	eClinicalWorks Population Health (CCMR) suffers from a session fixation vulnerability. When authenticating a user, the application does not assign a new session ID, making it possible to use an existent session ID.
CVE-2025-28242	Cri	0.65	9.8	0.12	Apr 18, 2025	Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session hijacking attack.
CVE-2026-25101	Cri	0.64	9.8	0.00	Mar 27, 2026	Bludit allows user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behavior enables an attacker to fix a session ID for a victim and later hijack the authenticated session. This issue was fixed in version 3.17.2.
CVE-2025-52689	Cri	0.64	9.8	0.02	Jul 16, 2025	Successful exploitation of the vulnerability could allow an unauthenticated attacker to obtain a valid session ID with administrator privileges by spoofing the login request, potentially allowing the attacker to modify the behaviour of the access point.
CVE-2025-28238	Cri	0.64	9.8	0.00	Apr 18, 2025	Improper session management in Elber REBLE310 Firmware v5.5.1.R , Equipment Model: REBLE310/RX10/4ASI allows attackers to execute a session hijacking attack.
CVE-2017-15304	Cri	0.64	9.8	0.00	Oct 15, 2017	/bin/login.php in the Web Panel on the Airtame HDMI dongle with firmware before 3.0 allows an attacker to set his own session id via a "Cookie: PHPSESSID=" header. This can be used to achieve persistent access to the admin panel even after an admin password change.
CVE-2016-10405	Cri	0.64	9.8	0.01	Sep 7, 2017	Session fixation vulnerability in D-Link DIR-600L routers (rev. Ax) with firmware before FW1.17.B01 allows remote attackers to hijack web sessions via unspecified vectors.
CVE-2015-1820	Cri	0.64	9.8	0.04	Aug 9, 2017	REST client for Ruby (aka rest-client) before 1.8.0 allows remote attackers to conduct session fixation attacks or obtain sensitive cookie information by leveraging passage of cookies set in a response to a redirect.
CVE-2015-1174	Cri	0.64	9.8	0.01	Aug 2, 2017	Session fixation vulnerability in Unit4 Polska TETA Web (formerly TETA Galactica) 22.62.3.4 and earlier allows remote attackers to hijack web sessions via a session id.
CVE-2016-9125	Cri	0.64	9.8	0.01	Mar 28, 2017	Revive Adserver before 3.2.3 suffers from session fixation, by allowing arbitrary session identifiers to be forced and, at the same time, by not invalidating the existing session upon a successful authentication. Under some circumstances, that could have been an opportunity for an attacker to steal an authenticated session.
CVE-2025-24503	Cri	0.60	—	0.00	Jan 30, 2025	A malicious actor can fix the session of a PAM user by tricking the user to click on a specially crafted link to the PAM server.
CVE-2026-40010	Cri	0.59	9.1	0.00	May 6, 2026	Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue.
CVE-2023-52268	Cri	0.59	9.1	0.01	Nov 12, 2024	The End-User Portal module before 1.0.65 for FreeScout sometimes allows an attacker to authenticate as an arbitrary user because a session token can be sent to the /auth endpoint. NOTE: this module is not part of freescout-helpdesk/freescout on GitHub.
CVE-2026-41613	Hig	0.57	8.8	0.00	May 12, 2026	Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.
CVE-2026-22082	Hig	0.57	—	0.00	Jan 9, 2026	This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the use of login credentials as the session ID through its web-based administrative interface. A remote attacker could exploit this vulnerability by intercepting network traffic and capturing the session ID during insecure transmission. Successful exploitation of this vulnerability could allow the attacker to hijack an authenticated session and compromise sensitive configuration information on the targeted device.
CVE-2025-10228	Hig	0.57	8.8	0.00	Oct 14, 2025	Session Fixation vulnerability in Rolantis Information Technologies Agentis allows Session Hijacking.This issue affects Agentis: before 4.44.
CVE-2024-13967	Hig	0.57	8.8	0.00	Jun 4, 2025	This vulnerability allows the successful attacker to gain unauthorized access to a configuration web page delivered by the integrated web Server of EIBPORT. This issue affects EIBPORT V3 KNX: through 3.9.8; EIBPORT V3 KNX GSM: through 3.9.8.
CVE-2024-45368	Hig	0.57	8.8	0.00	Sep 13, 2024	The H2-DM1E PLC's authentication protocol appears to utilize either a custom encoding scheme or a challenge-response protocol. However, there's an observed anomaly in the H2-DM1E PLC's protocol execution, namely its acceptance of multiple distinct packets as valid authentication responses. This behavior deviates from standard security practices where a single, specific response or encoding pattern is expected for successful authentication.
CVE-2017-11562	Hig	0.57	8.8	0.00	Dec 19, 2017	A Session Fixation Vulnerability exists in the MT4 Networks SenhaSegura Web Application 2.2.23.8 via login_if.php.