CWE-384
Session Fixation
Description
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-196 · CAPEC-21 · CAPEC-31 · CAPEC-39 · CAPEC-59 · CAPEC-60 · CAPEC-61
CVEs mapped to this weakness (205)
page 11 of 11| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2007-5380 | 0.00 | — | 0.04 | Oct 19, 2007 | Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to "URL-based sessions." | |||
| CVE-2007-4188 | 0.00 | — | 0.04 | Aug 8, 2007 | Session fixation vulnerability in Joomla! before 1.0.13 (aka Sunglow) allows remote attackers to hijack administrative web sessions via unspecified vectors. | |||
| CVE-2001-1534 | 0.00 | — | 0.01 | Dec 31, 2001 | mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for… | |||
| CVE-1999-0428 | 0.00 | — | 0.03 | Mar 22, 1999 | OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls. | |||
| CVE-2022-38369 | — | 0.00 | — | 0.01 | — | Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should upgrade to version 0.13.1 which addresses this issue. |
- CVE-2007-5380Oct 19, 2007risk 0.00cvss —epss 0.04
Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to "URL-based sessions."
- CVE-2007-4188Aug 8, 2007risk 0.00cvss —epss 0.04
Session fixation vulnerability in Joomla! before 1.0.13 (aka Sunglow) allows remote attackers to hijack administrative web sessions via unspecified vectors.
- CVE-2001-1534Dec 31, 2001risk 0.00cvss —epss 0.01
mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for…
- CVE-1999-0428Mar 22, 1999risk 0.00cvss —epss 0.03
OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.
- risk 0.00cvss —epss 0.01
Apache IoTDB version 0.13.0 is vulnerable by session id attack. Users should upgrade to version 0.13.1 which addresses this issue.