VYPR

CWE-384

Session Fixation

CompoundIncomplete

Description

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-196 · CAPEC-21 · CAPEC-31 · CAPEC-39 · CAPEC-59 · CAPEC-60 · CAPEC-61

CVEs mapped to this weakness (205)

page 10 of 11
  • CVE-2020-1762Apr 27, 2020
    risk 0.00cvss epss 0.01

    An insufficient JWT validation vulnerability was found in Kiali versions 0.4.0 to 1.15.0 and was fixed in Kiali version 1.15.1, wherein a remote attacker could abuse this flaw by stealing a valid JWT cookie and using that to spoof a user session, possibly gaining privileges to…

  • CVE-2020-5205Jan 9, 2020
    risk 0.00cvss epss 0.01

    In Pow (Hex package) before 1.0.16, the use of Plug.Session in Pow.Plug.Session is susceptible to session fixation attacks if a persistent session store is used for Plug.Session, such as Redis or a database. Cookie store, which is used in most Phoenix apps, doesn't have this…

  • CVE-2019-10158Jan 2, 2020
    risk 0.00cvss epss 0.02

    A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling.

  • CVE-2019-17563Dec 23, 2019
    risk 0.00cvss epss 0.11

    When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the…

  • CVE-2010-3671Nov 5, 2019
    risk 0.00cvss epss 0.02

    TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 is open to a session fixation attack which allows remote attackers to hijack a victim's session.

  • CVE-2019-12203Sep 25, 2019
    risk 0.00cvss epss 0.00

    SilverStripe through 4.3.3 allows session fixation in the "change password" form.

  • CVE-2019-10371Aug 7, 2019
    risk 0.00cvss epss 0.01

    A session fixation vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows unauthorized attackers to impersonate another user if they can control the pre-authentication session.

  • CVE-2019-7849Aug 2, 2019
    risk 0.00cvss epss 0.01

    A defense-in-depth check was added to mitigate inadequate session validation handling by 3rd party checkout modules. This impacts Magento 1.x prior to 1.9.4.2, Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9 and Magento 2.3 prior to…

  • CVE-2017-12619Apr 23, 2019
    risk 0.00cvss epss 0.05

    Apache Zeppelin prior to 0.7.3 was vulnerable to session fixation which allowed an attacker to hijack a valid user session. Issue was reported by "stone lone".

  • CVE-2019-1003019Feb 6, 2019
    risk 0.00cvss epss 0.01

    An session fixation vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm.java that allows unauthorized attackers to impersonate another user if they can control the pre-authentication session.

  • CVE-2018-1000409Jan 9, 2019
    risk 0.00cvss epss 0.01

    A session fixation vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that prevented Jenkins from invalidating the existing session and creating a new one when a user signed up for a…

  • CVE-2018-19443Nov 22, 2018
    risk 0.00cvss epss 0.01

    The client in Tryton 5.x before 5.0.1 tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py. This connection attempt fails, but it contains in the header the current session of the user. This session could…

  • CVE-2018-1127MedSep 11, 2018
    risk 0.00cvss 4.2epss 0.01

    Tendrl API in Red Hat Gluster Storage before 3.4.0 does not immediately remove session tokens after a user logs out. Session tokens remain active for a few minutes allowing attackers to replay tokens acquired via sniffing/MITM attacks and authenticate as the target user.

  • CVE-2015-8124Dec 7, 2015
    risk 0.00cvss epss 0.03

    Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 allows remote attackers to hijack web sessions via a session id.

  • CVE-2015-3982Jun 2, 2015
    risk 0.00cvss epss 0.02

    The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.

  • CVE-2014-4789Sep 10, 2014
    risk 0.00cvss epss 0.01

    Session fixation vulnerability in IBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 allows remote attackers to hijack web sessions via unspecified vectors.

  • CVE-2012-2144Jun 5, 2012
    risk 0.00cvss epss 0.02

    Session fixation vulnerability in OpenStack Dashboard (Horizon) folsom-1 and 2012.1 allows remote attackers to hijack web sessions via the sessionid cookie.

  • CVE-2010-1613Apr 29, 2010
    risk 0.00cvss epss 0.02

    Moodle 1.8.x and 1.9.x before 1.9.8 does not enable the "Regenerate session id during login" setting by default, which makes it easier for remote attackers to conduct session fixation attacks.

  • CVE-2009-0256Jan 22, 2009
    risk 0.00cvss epss 0.02

    Session fixation vulnerability in the authentication library in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 allows remote attackers to hijack web sessions via unspecified vectors related to (1) frontend and (2) backend authentication.

  • CVE-2008-3222Jul 18, 2008
    risk 0.00cvss epss 0.03

    Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessions via unknown vectors.